AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


ENSURING FAIRNESS AND ACCURACY IN 
ELECTIONS INVOLVING ELECTRONIC VOTING 
SYSTEMS 


HEARING 

BEFORE THE 

SUBCOMMITTEE ON INPOmiATION POLICY, 
CENSUS, AND NATIONAL AKCHDM^S 

OF THE 

COMMITTEE ON OA^RSIGHT 
AND GOA^RNMENT REFORM 

HOUSE OF REPRESENTATDH]S 

ONE HUNDRED TENTH CONGRESS 

FIRST SESSION 

APRIL 18, 2007 

Serial No. 110-5 


Printed for the use of the Committee on Oversight and Government Reform 



Available via the World Wide Web: http://www.gpoaccess.gov/congress/index.html 
http://www.oversight.house.gov 


U.S. GOVERNMENT PRINTING OFFICE 
36-768 PDF WASHINGTON : 2007 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM 


HENRY A. WAXMAN. California. Chairman 


TOM LANTOS, California 


TOM DAVIS, Virginia 
DAN BURTON, Indiana 


EDOLPHUS TOWNS, New York 
PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY, New York 
ELIJAH E. CUMMINGS, Maryland 
DENNIS J. KUCINICH, Ohio 
DANNY K. DAVIS, Illinois 
JOHN F. TIERNEY, Massachusetts 
WM. LACY CLAY, Missouri 
DIANE E. WATSON, California 
STEPHEN F. LYNCH, Massachusetts 
BRIAN HIGGINS, New York 
JOHN A. YARMUTH, Kentucky 
BRUCE L. BRALEY, Iowa 
ELEANOR HOLMES NORTON, District of 
Columbia 

BETTY McCOLLUM, Minnesota 
JIM COOPER, Tennessee 
CHRIS VAN HOLLEN, Maryland 
PAUL W. HODES, New Hampshire 
CHRISTOPHER S. MURPHY, Connecticut 
JOHN P. SARBANES, Maryland 
PETER WELCH, Vermont 


CHRISTOPHER SHAYS, Connecticut 

JOHN M. McHUGH, New York 

JOHN L. MICA, Florida 

MARK E. SOUDER, Indiana 

TODD RUSSELL PLATTS, Pennsylvania 

CHRIS CANNON, Utah 

JOHN J. DUNCAN, jR., Tennessee 

MICHAEL R. TURNER, Ohio 

DARRELL E. ISSA, California 

KENNY MARCHANT, Texas 

LYNN A. WESTMORELAND, Georgia 

PATRICK T. McHENRY, North Carolina 

VIRGINIA FOXX, North Carolina 

BRIAN P. BILBRAY, California 

BILL SALI, Idaho 


Phil Schiliro, Chief of Staff 
Phil Barnett, Staff Director 
Earley Green, Chief Clerk 
David Marin, Minority Staff Director 

Subcommittee on Information Policy, Census, and National Archives 

WM. LACY CLAY, Missouri, Chairman 
PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio 

CAROLYN B. MALONEY, New York CHRIS CANNON, Utah 

JOHN A. YARMUTH, Kentucky BILL SALI, Idaho 

PAUL W. HODES, New Hampshire 

Tony Haywood, Staff Director 


(H) 



CONTENTS 


Page 

Hearing held on April 18, 2007 1 

Statement of: 

Carnahan, Robin, Secretary of State, State of Missouri; Avi D. Rubin, 
technical director. Information Security Institute, Department of Com- 
puter Science, Johns Hopkins University; John S. Groh, vice president. 
Election Systems and Software International, and chairman. Election 
Technology Council; and Diane Golden, director, Missouri Assistive 
Technology Council, on behalf of the National Association of Assistive 

Technology Act Programs 83 

Carnahan, Robin 83 

Golden, Diane 98 

Groh, John S 93 

Rubin, Avi D 89 

Hillman, Gracia, Commissioner, U.S. Election Assistance Commission; 
and Randolph Hite, Director, Information Technology Architecture and 

Systems, U.S. Government Accountability Office 16 

Hillman, Gracia 16 

Hite, Randolph 34 

Letters, statements, etc., submitted for the record by: 

Carnahan, Robin, Secretary of State, State of Missouri, prepared state- 
ment of 85 

Clay, Wm. Lacy, a Representative in Congress from the State of Missouri, 

prepared statement of 4 

Golden, Diane, director, Missouri Assistive Technology Council, on behalf 
of the National Association of Assistive Technology Act Programs, pre- 
pared statement of 100 

Groh, John S., vice president, Election Systems and Software Inter- 
national, and chairman. Election Technology Council, prepared state- 
ment of 96 

Hillman, Gracia, Commissioner, U.S. Election Assistance Commission, 

prepared statement of 18 

Hite, Randolph, Director, Information Technology Architecture and Sys- 
tems, U.S. Government Accountability Office, prepared statement of 36 

Maloney, Hon. Carolyn B., a Representative in Congress from the State 

of New York, prepared statement of 12 

Rubin, Avi D., technical director, Information Security Institute, Depart- 
ment of Computer Science, Johns Hopkins University, prepared state- 
ment of 91 

Sali, Hon. Bill, a Representative in Congress from the State of Idaho, 

prepared statement of 75 

Turner, Hon. Michael R., a Representative in Congress from the State 

of Ohio, prepared statement of 9 

Yarmuth, Hon. John A., a Representative in Congress from the State 
of Kentucky, prepared statement of 67 


(III) 




ENSURING FAIRNESS AND ACCURACY IN 
ELECTIONS INVOLVING ELECTRONIC VOT- 
ING SYSTEMS 


WEDNESDAY, APRIL 18, 2007 

House of Representatives, 

Subcommittee on Information Policy, Census, and 

National Archives, 

Committee on Oversight and Government Reform, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 2 p.m. in room 
2154, Rayburn House Office Building, Hon. Wm. Lacy Clay (chair- 
man of the subcommittee) presiding. 

Present: Representatives Clay, Hodes, Maloney, Sali, Turner, 
Yarmuth, and Watson. 

Staff present: Tony Haywood, staff director and counsel; Alissa 
Bonner and Adam C. Bordes, professional staff members; Jean 
Gosa, clerk; Nidia Salazar, staff assistant; Leneal Scott, informa- 
tion systems manager; Jacy Dardine, intern; Jay O’Callaghan, mi- 
nority professional staff member; John Cuaderes, minority senior 
investigator and policy advisor; and Benjamin Chance, minority 
clerk. 

Mr. Clay. The Subcommittee on Information Policy, Census, and 
National Archives of the Committee on Oversight and Government 
Reform will now come to order. Today’s hearing will examine issues 
relating to ensuring fairness and accuracy in elections involving 
electronic voting systems. 

Without objection, the Chair and ranking minority member will 
have 5 minutes to make opening statements, followed by opening 
statements not to exceed 3 minutes by any other Member who 
seeks recognition. 

Without objection. Members or witnesses may have 5 legislative 
days to submit a written statement or extraneous material for the 
record. 

Let me start off by saying good afternoon and welcome to today’s 
hearing. As we enter the 2008 election season, it is essential that 
this subcommittee examine the use of modern electronic voting sys- 
tems and the potential vulnerabilities associated with them. The 
principle of free and fair elections is the foundation of our demo- 
cratic Government. The constitutional right to vote has enabled our 
Nation’s citizens to be stakeholders in the greatest democratic ex- 
periment the world has ever known. 

The need for uniform standards to govern Federal elections be- 
came painfully clear in the weeks following the 2000 Presidential 

( 1 ) 



2 


election in Florida. In response to news reports of hanging chads, 
invalid punch card ballots and insufficient controls over voter reg- 
istration systems in Florida, Congress passed the Help America 
Vote Act of 2002. HAVA is the first comprehensive Federal law es- 
tablishing requirements for the administration of Federal elections. 

These requirements cover voting system standards and voter in- 
formation and registration requirements. HAVA created the Elec- 
tion Assistance Commission to serve as a national clearinghouse 
for election information, to develop standards for electronic voting 
systems, and to assist State and local governments in their HAVA 
compliance efforts. 

Research and development activities required by HAVA are car- 
ried out by the National Institute of Standards and Technology 
under the EAC’s direction. To date. Congress has appropriated over 
$3 billion to the EAC for these activities. With grants from the 
EAC, many State and local jurisdictions have attempted to improve 
the reliability and accuracy of the voting process by replacing anti- 
quated punch card or lever machine systems with electronic voting 
systems such as direct recording electronic or optical scan systems. 

Unfortunately, numerous State and local governments have re- 
ported significant problems with electronic systems. The still-con- 
tested House election in Florida’s 13th District is a prominent ex- 
ample of how in some instances electronic voting systems have pro- 
duced unreliable results, raising concerns among voting system ex- 
perts, and causing distrust among voters. 

Accordingly, I believe we should pursue two major goals in mov- 
ing forward with new electronic voting system requirements. First, 
we should utilize technology that provides an independent 
auditable voting record that can be verified by election officials, 
such as a paper audit trail for DREs. In addition, we should ensure 
that electronic voting system standards meet the need for adequate 
privacy safeguards and accessibility for the disabled. These efforts 
would help to ensure that every vote is accurately counted. 

Second, we must try to make the process for testing software 
code more transparent. This would enable both the EAC and elec- 
tion officials to determine which products are the most secure, reli- 
able and available in the marketplace. To do this, I believe the 
EAC and the NIST should search for new opportunities to partner 
with our federally funded research community in order to improve 
our vulnerability testing and certification practices. 

Furthermore, the EAC should fully implement GAO’s rec- 
ommendations for strengthening the commission’s efforts to become 
a true national clearinghouse for election administration. 

Unfortunately, the technological challenges we face are com- 
pounded by problems with the EAC itself Recent news reports in- 
dicate that the EAC has failed to carry out certain responsibilities 
required by HAVA. During the past week, the New York Times and 
other publications have reported that the EAC edited the findings 
of a Government-funded report on voter fraud to support partisan 
efforts to mislead the public on the pervasiveness of fraud. 

Furthermore, we have learned that recent research on State 
voter ID standards conducted by Rutgers University for the EAC 
was rejected for questionable reasons. These developments suggest 
that the bipartisan EAC may be improperly politicizing their work. 



3 


At the very least, it appears that the EAC has strayed from its 
mandate to develop and disseminate vital information on major 
election-related topics to the public in an objective manner. As a re- 
sult, I have serious concerns about how the EAC is handling its 
stewardship role within our Federal election system. 

It is my hope that our witnesses today can address these issues 
and offer recommendations to remedy the challenges we face. 

Testifying on our first panel will be Commissioner Gracia 
Hillman of the Election Assistance Commission, and Mr. Randolph 
Hite of the Government Accountability Office. Our second panel in- 
cludes four distinguished witnesses from both the public and pri- 
vate sector: The Honorable Robin Carnahan, Missouri Secretary of 
State; Professor Avi Rubin of Johns Hopkins University; Mr. John 
Groh, vice president of Election Systems and Software, and chair- 
man of the Election Technology Council; and Dr. Diane Golden of 
the Missouri Assistive Technology Council. 

I welcome all of our witnesses and look forward to an informative 
and frank discussion on these issues. 

Now I recognize the ranking member from Ohio, Mr. Turner. 

[The prepared statement of Hon. Wm. Lacy Clay follows:] 



4 


Opening Statement of Rep. Wm. Lacy Clay (D-MO), Chairman 
Subcommittee on Information Policy, Census, and National Archives 
House Committee on Oversight and Government Reform 
Hearing on “Electronic Voting” 

April 18, 2007 


Good afternoon and welcome to today’s hearing. As we 
enter the 2008 election season, it is essential that this 
subcommittee examine the use of modem electronic voting 
systems, and the potential vulnerabilities associated with them. 

The principle of free and fair elections is the foundation of 
our democratic government. The constitutional right to vote has 
enabled our nation’s citizens to be stakeholders in the greatest 
democratic experiment the world has ever known. 

The need for uniform standards to govern federal elections 
became painfully clear in the weeks following the 2000 
Presidential election in Florida. In response to news reports of 
“hanging chads,” invalid punch card ballots, and insufficient 
controls over voter registration systems in Florida, Congress 
passed the Help America Vote Act of 2002, or HAVA. 

HAVA is the first comprehensive federal law establishing 
requirements for the administration of federal elections. These 
requirements cover voting system standards, voter information, 
and registration requirements. HAVA created the Election 
Assistance Commission (EAC) to serve as a national clearinghouse 
for election information, to develop standards for electronic voting 
systems, and to assist state and local governments in their HAVA 
compliance efforts. Research and development activities required 



5 


by HAVA are carried out by the National Institute of Standards 
and Technology, under the EAC’s direction. 

To date, Congress has appropriated over $3 billion to the 
EAC for these activities. With grants from the EAC, many state 
and local jurisdictions have attempted to improve the reliability 
and accuracy of the voting process by replacing antiquated punch 
card or lever machine systems with electronic voting systems, such 
as Direct Recording Electronic or Optical Scan systems. 

Unfortunately, numerous state and local governments have 
reported significant problems with electronic voting systems. The 
still-contested House election in Florida’s 13*'’ District is a 
prominent example of how, in some instances, electronic voting 
systems have produced unreliable results, raising concerns among 
voting-system experts and eausing distrust among voters. 

Accordingly, I believe we should pursue two major goals in 
moving forward with new electronic voting system requirements. 
First, we should utilize technology that provides an independent 
auditable voting record that can be verified by election officials, 
such as a paper audit trail for DREs. In addition, we should ensure 
that electronic voting system standards meet the need for adequate 
privacy safeguards and accessibility for the disabled. These efforts 
would help to ensure that every vote is acciuately counted. 

Second, we must try to make the process for testing software 
code more transparent. This would enable both the EAC and 
election officials to determine which products are the most secure, 
reliable, and available in the marketplace. To do this, I believe the 
EAC and NIST should search for new opportunities to partner with 
our federally funded research community in order to improve our 
vulnerability testing and certification practices. Furthermore, the 
EAC should fully implement GAO’s recommendations for 



6 


Strengthening the commission’s efforts to become a true national 
clearinghouse for election administration. 

Unfortunately, the technological challenges we face are 
compounded by problems with the EAC itself. Recent news 
reports indicate that the EAC has failed to carry out certain 
responsibilities as required under HAVA. During the past week. 
The New York Times and other publications have reported that the 
EAC edited the findings of a government-funded report on voter 
fi-aud to support the Administration’s efforts to mislead the public 
on the pervasiveness of fraud. 

Furthermore, we’ve learned that recent research on state 
voter identification standards conducted by Rutgers University for 
the EAC was rejected for questionable reasons. These 
developments suggest that the bipartisan EAC may be improperly 
politicizing their work. At the very least, it appears that the EAC 
has strayed from its mandate to develop and disseminate vital 
information on major election-related topics to the public in an 
objective manner. As a result, I have serious concerns about how 
the EAC is handling its stewardship role within our federal election 
system. 

It is my hope that our witnesses today can address these 
issues and offer recommendations to remedy the challenges we 
face. Testifying on our first panel will be Commissioner Gracia 
M. Hillman of the Election Assistance Commission, and Mr. 
Randolph Hite of the Government Accountability Office. Our 
second panel includes four distinguished witnesses from both the 
public and private sector: the Honorable Robin Carnahan, 

Missouri Secretary of State; Professor Avi Rubin of Johns Hopkins 
University; Mr. John Groh, Vice President of Election Systems and 
Software, and Chairman of the Election Technology Council; and 
Dr. Diane Golden of the Missouri Assistive Technology Council. I 



7 


welcome all of our witnesses and look forward to an informative 
and frank discussion of these issues. 



8 


Mr. Turner. Thank you, Mr. Chairman. I appreciate your hold- 
ing this very important hearing. 

Since the 2000 Presidential race, the Federal Government has 
heen actively involved in seeking a uniform, accessible solution that 
helps ensure better elections. While overall, voting systems may 
have improved, we should continue to investigate our voting sys- 
tems and make improvements when the need arises. 

After Congress passed the bipartisan legislation Help America 
Vote Act in 2002, complaints arose regarding direct recording elec- 
tronic voting machines, which are commonly known as touch screen 
voting machines used for elections in the majority of States. The 
security and accuracy in vote recording on these machines are of 
particular concern. Also, some accounts claim the operation of DRE 
machines may be confusing for some. To that end, we should ad- 
dress and resolve these issues. 

Mr. Chairman, this is one reason why today’s hearing is so im- 
portant. We need honest feedback and thorough analysis of any 
problems encountered in these new voting machines. 

Mr. Chairman, I want to thank you for inviting a balanced panel 
that will give us all sides of the story. 

I appreciate the witnesses’ testimony and I yield back the bal- 
ance of my time. 

[The prepared statement of Hon. Michael R. Turner follows:] 



9 


Statement of Rep. Mike Turner 
Ranking Republican Member 

Subcommittee on Information Policy, Census and National Archives 

April 18, 2007 

Ensuring Fairness and Accuracy in Elections Involving 
Electronic Voting Systems 

Thank you, Mr. Chairman, for holding this very important hearing. 

Since the 2000 presidential race, the federal government has been actively 
involved in seeking a uniform, accessible solution that helps ensure better elections. 

While overall, voting systems may have improved, we should continue to investigate our 
voting systems and mzike improvements when the need arises. 

After Congress passed the bi-partisan Help America Vote Act in 2002, complaints 
arose regarding "Direct Recording Electronic" voting machines, which are commonly 
known as “touch screen” voting machines used for elections in a majority of states. The 
security and the accuracy in vote recording on these machines are of particular concern. 
Also, some accounts claim the operation of DRE machines may be confusing for some. 
To that end, we should address and resolve these issues. 

Mr. Chairman, this is one reason why today’s hearing is so important. We need 
honest feedback and thorough analysis of any problems encountered in these new voting 
systems. 


Page 1 of 2 



10 

Statement of Rep. Turner 
April 18, 2007 
Page 2 of 2 

Mr. Chairman, I also want to thank you for inviting a balanced panel that can give 
us all sides of the story. I look forward all the witnesses testimony and yield back the 
balance of my time. 



11 


Mr. Clay. Thank you very much, Mr. Turner. 

Are there any other Members who would like to have an opening 
statement? Mrs. Maloney. 

Mrs. Maloney. Thank you, Mr. Chairman. I thank Chairman 
Clay and Ranking Member Turner for holding today’s hearing 
about an issue that deeply concerns me, the accuracy of our Na- 
tion’s voting systems. 

Our representative democracy depends upon the integrity of the 
voting system, and it is imperative that the machines are secure 
and reliable. Questions have been raised about the security and re- 
liability of electronic voting systems, including weak security con- 
trols and design flaws, among other concerns. 

In the 2004 election, millions of voters used electronic voting ma- 
chines that lacked a voter-verified paper audit trail. Nationwide, 
the problems included broken voting machines and inaccurately re- 
corded votes, where in a few jurisdictions the votes were switched 
from John Kerry to George Bush and vice versa. 

Maryland experienced so many problems with its electronic vot- 
ing machines in the September 2006 primary that its Governor 
urged residents to vote with absentee ballots to ensure that their 
votes were counted. 

I support requiring voting machines to have a voter-verifiable 
paper audit trail, and I am a cosponsor of H.R. 811, the Voter Con- 
fidence and Increased Accessibility Act, which would require a 
voter-verified permanent paper record or hard copy. 

The American people also deserve to know who is manufacturing 
and controlling the voting machines they are using, and if these 
machines are at risk for outside manipulation. 

Last year, I raised the possibility in front of the Committee on 
Foreign Investment in the United States Review Board of 
Smartmatic’s purchase in 2005 of Sequoia Voting Machines be- 
cause of my concerns that a foreign government — in this case, Ven- 
ezuela — was investing in or owning the company that supplies vot- 
ing machines for U.S. elections. 

CFIUS looks at national security threats. I can’t think of a larger 
national security threat than not having the total integrity of your 
voting machines. 

For a few years, questions surrounded Smartmatic about its own- 
ership and its possible ties and control by the Venezuelan govern- 
ment. In December, Smartmatic announced that it would sell Se- 
quoia voting machines. There clearly were doubts about this com- 
pany, and as long as those doubts lingered, many people would 
have legitimate questions about the integrity of those voting ma- 
chines. 

It is time to institute procedures that ensure that election results 
can be audited to ensure accuracy. If the American public does not 
have faith that their votes will be recorded accurately, they may 
decide to stay home on election day, which would undermine our 
democracy. 

I look forward to hearing the witnesses. Again, I can’t think of 
a more important issue that we could be looking at than the integ- 
rity of our voting machines. 

Thank you. 

[The prepared statement of Hon. Carolyn B. Maloney follows:] 



12 


Representative Carolyn B. Maloney (NY-14) 

“Ensuring Fairness and Accuracy in Elections Involving Electronic Voting Systems” 

April 18, 2007 

I want to thank Chairman Clay 

and Ranking Member Turner 

for holding today’s hearing 

about an issue that deeply concerns me, 

the accuracy of the nation’s voting systems. 

Our representative democracy depends 
upon the integrity of the voting system, 
and it is imperative that the voting machines 
are secure and reliable. 

However, questions have been raised 

about the security and reliability 

of electronic voting systems 

including weak security controls and design flaws, 

among other concerns. 

In the 2004 election, millions of voters 

used electronic voting machines 

that lacked a voter-verified paper audit trail. 


1 



13 


Nationwide the problems 
included broken voting machines 
and inaccurately recorded votes 
where in a few jurisdictions 
the votes were switched 

from John Kerry to George Bush and vice-versa. 

Maryland experienced so many problems 
with its electronic voting machines 
in its September 2006 primary 
that its governor urged residents 
to vote with absentee ballots 
to ensure that their votes were counted. 

I support requiring voting machines 

to have voter- verifiable paper audit trail, 

and I have cosponsored H.R. 811, 

the “Voter Confidence and Increased Accessibility 

Act,” which would require 

a voter-verified permanent paper record 

or hard copy. 

The American people also deserve 


2 



14 


to know who is manufacturing 
the voting machines that they are using, 
and if those machines are at risk 
for outside manipulation. 

Last year I raised the possibility 

of a Committee on Foreign Investment in the 

United States (CFIUS) review 

of Smartmatic’s purchase in 2005 

of Sequoia Voting Systems 

because of my concerns 

that a foreign government was investing in 

or owning a company 

that supplies voting machines for U.S. elections. 

For a few years, questions had surrounded 
Smartmatic about its ownership 
aijd its possible ties 
to the Venezuelan government. 

In December, Smartmatic announced 
that it would sell Sequoia Voting Systems. 


3 



15 


There clearly were doubts about this company, 
and as long as those doubts lingered, 
many people would have legitimate questions 
about the integrity of those voting machines. 

It is time to institute procedures 

that ensure that election results can be audited 

to ensure accuracy. 

If the American public does not have faith 
that their votes will be recorded accurately, 
they may decide to stay home on Election Day. 

I look forward to hearing from the witnesses. 

Thank you. 


4 



16 


Mr. Clay. Thank you so much, Mrs. Maloney, for your opening 
statement. 

It is the policy of the committee to swear in all witnesses before 
they testify. I would like to ask you both to please stand and raise 
your right hands. 

[Witnesses sworn.] 

Mr. Clay. Thank you. Let the record reflect that the witnesses 
answered in the affirmative. 

Ms. Hillman, please proceed. 

STATEMENTS OF GRACIA HILLMAN, COMMISSIONER, U.S. 

ELECTION ASSISTANCE COMMISSION; AND RANDOLPH HITE, 

DIRECTOR, INFORMATION TECHNOLOGY ARCHITECTURE 

AND SYSTEMS, U.S. GOVERNMENT ACCOUNTABILITY OFFICE 

STATEMENT OF GRACIA HILLMAN 

Ms. Hillman. Thank you very much. Let me begin by saying 
that EAC has submitted for the record extensive testimony outlin- 
ing the details of all of our programs that certify and test voting 
systems, including the hardware and software. My remarks will 
summarize some of the testimony. 

Good afternoon. Chairman Clay, Ranking Member Turner and 
all members of the subcommittee. My name is Gracia Hillman and 
I am a member of the U.S. Election Assistance Commission. Mr. 
Chairman, you asked me here today to discuss issues concerning 
fairness and accuracy in elections that use electronic voting sys- 
tems. Today’s hearing adds an important discussion to this issue. 
Eairness and accuracy are crucial components in every facet of elec- 
tions. This applies to voter registration, casting ballots, and certify- 
ing election results. 

It is important to remember that whether we are discussing a 
ballot box, an optical scan machine, or an electronic touch screen 
voting system, people control fair and accurate elections. There are 
lots of discussions about whether we can or should trust electronic 
voting machines. States choose their voting systems and some are 
now switching to optical scan machines. However, we must remem- 
ber that electronic technology is not exclusive to a touch screen vot- 
ing system. The counting and casting of ballots on an optical scan 
machine is done electronically, so we must cast a critical eye on all 
voting technologies, and the system manufacturers and the testing 
laboratories must join us in that endeavor. 

Mr. Chairman, it is not enough to only examine the device that 
people use to vote. We must remember that voting is a human ex- 
ercise. To that end, EAC focuses on the technical functions and 
testing of voting systems, and at the same time, we examine the 
human management of elections. America is in a period of major 
changes in the technology of our voting system. We know that elec- 
tronic voting systems bring advantages. Eor example, they enable 
us to meet the language and disability access requirements of 
HAVA, and they prevent people from over-voting a ballot. 

However, if people do not trust these systems, if they believe the 
systems can be compromised, then the advantages do not mean 
very much. Nonetheless, it is important to point out that to com- 
promise a voting system, and I am talking about any type of voting 



17 


system, you must have two things: knowledge of the system and 
unsupervised access to the machine and software. 

Mr. Chairman, election officials follow security protocols to pre- 
vent that access. I mean, really, no voting system should be fully 
trusted unless election officials store them in a secure location, pre- 
vent tampering, conduct independent logic and accuracy testing, 
train its workers, audit the results, and let the public observe the 
entire process. 

EAC publishes guidelines on how to secure voting systems. We 
emphasize that details and training matter in every facet of elec- 
tions. Just one person forgetting one detail, like forgetting to bring 
election day supplies to the polling place or not even showing up 
to open the polls, can make or break an election. 

Mr. Chairman, before closing I want to address the issue of 
paper trail printing devices for DRE machines. As you know, this 
device enables a voter to confirm his selections before casting the 
ballot and presumably the paper could be used in audits. I am not 
here to discuss whether Congress should mandate paper trail. I do 
want to point out that depending on what the particular require- 
ments are, at least 180,000 DREs in this country would have to be 
replaced or upgraded. 

When you combine the introduction of new equipment, earlier 
primaries, and the enormous tasks of recruiting and training poll 
workers to meet a Presidential election year deadline, which is only 
a year and a half from now, you have all of the ingredients for a 
recipe for colossal confusion. That is why we cannot discuss voting 
system technology in a vacuum. We must also discuss and consider 
the human element. 

I have spent my entire career working to make sure all voters 
are treated fairly and that votes are counted accurately. It is useful 
to question the use of electronic voting systems. However, I urge 
you to not let electronic voting divert our attention from issues 
such as voter registration, participation and disenfranchisement. 

It is my understanding that the committee likely has questions 
for me about EAC matters, namely our research and study work. 
I am prepared to answer your questions about my testimony today 
and all of our other work. 

Thank you for this opportunity. 

[The prepared statement of Ms. Hillman follows:] 



18 



U.S. El ction Assistanc Commission 

Testimony b for th U.S. Hous Committee on v rsight and ov rnment R form 
Subcommitt on Information Policy, C nsus and National Archiv s 
April 18, 2007 


Good afternoon Chairman Clay, Ranking Member Turner, and Members of the 
Subcommittee. I am pleased to be here this afternoon on behalf of the U.S. Election 
Assistance Commission (EAC) to discuss election integrity, the changes in voting that 
have been effectuated by the Help America Vote Act of 2002 (HAVA), and the role that 
EAC plays in supporting the States and local governments in implementing HAVA- 
compliant voting systems. 


INTRODUCTION 

EAC is a bipartisan commission consisting of four members: Donetta Davidson . Chair; 
Gracia Hillman . Caroline Hunter, and Rosemary Rodriguez. EAC’s mission is to guide, 
assist, and direct the effective administration of Federal elections through funding, 
innovation, guidance, information and regulation. In doing so, EAC has focused on 
fulfilling its obligations under HAVA and the National Voter Registration Act (NVRA). 
EAC has employed four strategic objectives to meet these statutory requirements: 
Distribution and Management of HAVA Funds, Aiding in the Improvement of Voting 
Systems, National Clearinghouse of Election Information, and Guidance and Information 
to the States. The topic of this hearing involves our strategic efforts to aid in the 
improvement of voting systems and to provide guidance and information to States to 
assist in improving the voting process. These programs and EAC’s efforts to assist States 
with implementing voting systems and procedures to safeguard those systems will be 
discussed in more detail below. 

ELECTIONS: A COMPLEX EQUATION 

Conducting elections is a complex process, involving many steps to ensure that eligible 
voters are able to cast a single ballot and that each vote is counted and reported 
accurately. A successful, accurate, open, accessible and secure election requires attention 
to several areas of election administration including the use of reliable, accurate voting 
systems and the development and implementation of a comprehensive voting process. 
Even before the voting process begins, election management efforts must ensure that 
there is a complete and accurate list of voters who are eligible to participate in the 
election. No one of these areas alone will ensure the integrity of an election. Each must 
work in tandem with the other to create an entire election process in which all voters can 
have confidence. 

In addition to ensuring the successful operation of the entire election administration 
process, the public must be given access to each step of the process. EAC recommends 
that election officials allow the public to observe the steps taken to prepare for and 
conduct an election, including system set up and testing, vote tabulation and audits and 
recounts. After all, elections are about people. People set up and program voting 
machines and people cast votes on those same machines. To conduct a successful 


This information is property of the U.S. Bler^hn Assistance Commis^on, 
1225 New York Avenue, NW, Suite 1100. Washington. DC 20005 
(202) 566-3700 (p), (202) 560^127 (f). www.eac.gov 
Page 1 





19 



U.S. Ei ction Assistance C mmission 

T stimony b f r th U.S. House Commit! on Ov rsight and Gov mment R form 
Subcommitt on Information Policy, C nsus and National Archiv s 
April 18, 2007 


election, the public must be educated about and have confidence in the election 
administration process. 


VOTER REGISTRATION 

The first step to having a successful, accurate and reliable election is to ensure that only 
eligible voters cast ballots. In most States, this begins with the process of registering 
those persons to vote. The National Voter Registration Act establishes the standard by 
which persons are registered to vote for Federal elections. And, HAVA significantly 
changed the means of maintaining, verifying, and managing that information. 

Prior to HAVA, very few States administered the voter registration process. Voter 
registration was conducted by local election officials and voter registration lists were 
maintained by local election officials. HAVA required the establishment of a single, 
statewide voter registration list in each State. After HAVA, there is to be only one list 
that contains the names of all of the registered voters in the State, removing the 
possibility of multiple and outdated registrations. 

States are required to maintain and administer these new voter registration lists, including 
the responsibility assigned by HAVA to verify voter registration information against 
other available State and Federal information. For example, new registrations must be 
verified against the information maintained by the Department of Motor Vehicles in the 
State and the Social Security Administration. State election officials are also required to 
compare the voter registration list against the death records maintained by the State’s 
office of vital statistics. 

To facilitate this type of review, voters are required to provide either a driver’s license 
number or the last four digits of his/her social security number when registering. If the 
voter fails to provide this information, the election official is prohibited from processing 
the voter registration, unless the voter does not have either a social security number or a 
drivers’ license number. Further, for voters who register to vote by mail, they must 
provide some proof of identity -a copy of the voter’s driver’s license, a utility bill, or 
other government document bearing the name and address of the voter. If the voter does 
not provide this information and if the voter’s application cannot be verified using the 
social security number or driver’s license number, the voter will have to provide some 
form of identification upon voting for the first time. 

In 2005, EAC issued interpretive guidance concerning the construction and maintenance 
of these statewide voter registration lists. This guidance worked to assure that the 
requirements of HAVA were implemented properly and in a manner that maintained 
voter’s rights in the registration process. For example, when voter registration 
verification shows a discrepancy between information provided by the voter and 
information available through other State and Federal databases, it is critical to involve 


This information is property of the U.S. Bection Assistance Commission, 
1225 New York Avenue, NW, Suite 1 100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (f). www.eac.gov 
Page 2 



20 



U.S. El cti n Assistan Commission 

T stimony b f re th U.S. Hous Committ on v rsight and Gov mment Reform 
Subcommitt e on information P li y. Census and National Archiv s 
April 18, 2007 


the voter in resolving the discrepancy. The voter is best equipped to determine whether 
the discrepancy is the result of a mistake, incorrect information in the other database, or 
some other problem. In 2007, EAC will continue its work to inform and educate the 
public on the interaction between HAVA and NVRA and to amend NVRA regulations, as 
necessary, to ensure the proper implementation of both Acts. 

It is imperative to the election process to have an accurate list of persons who are eligible 
to cast ballots. This can be accomplished by operating a voter registration system that 
complies with HAVA and that is updated frequently so that duplicate and fraudulent 
registrations can be caught and remedied. 

VOTING SYSTEMS 

Voting system integrity requires an accurate, reliable, accessible and auditable voting 
system. There are various opinions on what constitutes accurate, reliable, accessible and 
auditable, but one clear source is the Help America Vote Act of 2002 (HAVA). HAVA 
establishes a number of requirements for voting systems, including that the system: 
o Allow the voter the ability to change his or her selections prior to casting a vote; 
o Notify the voter of an overvote and the consequences of casting an overvote; 
o Provide a permanent paper record of the election that is auditable; 
o Provide accessibility to individuals with disabilities including persons who are 
blind or visually impaired; 

o Provide accessibility to persons for whom English is not their first language when 
required by Section 203 of the Voting Rights Act; and 
o Meet or exceed the error rate as established in the 2002 Voting System Standards 
developed by the Federal Election Commission. 

See HAVA Section 301; 42 U.S.C. Section 15481. This section requires that all voting 
systems used in an election for Federal office meet or exceed these requirements. States 
could use HAVA funding to purchase voting systems that meet or exceed these 
requirements. A chart showing the funds distributed to each State is found on EAC’s 
Web site, www.eac.gov . 

In addition, HAVA also required EAC to develop guidelines for testing voting systems 
and required EAC to establish a program for the testing of voting systems using federally 
accredited laboratories. These guidelines and testing and accreditation processes 
establish a means to determine whether voting systems meet the base-line requirements 
of HAVA and the more descriptive and demanding standards of the voluntary voting 
system guidelines developed by EAC. This process provides assurance to election 
officials and members of the public that the voting systems that they use will perform in a 
maimer that is accurate, reliable, accessible and auditable. 


This information is properly c^fhe U.S. Eler^on Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p), (202) 566-3127 (f)', www.eac.gov 



21 



U.5. Electicm Assistanc C mmission 

T stimony b fore th U.S. Hous Commltt e n v rsight and ov rnm ni R forni 
Subcommitt on information P iicy, C nsus and National /b'chiv s 
April 18, 2007 


Voluntary Voting System Guidelines (WSG) 

One of EAC’s most important mandates is the testing, certification, decertification and 
recertification of voting system hardware and software. Fundamental to implementing 
this key function is the development of updated voting system guidelines, which 
prescribe the technical requirements for voting system performance and identify testing 
protocols to determine how well systems meet these requirements. EAC along with its 
Federal advisory committee, the Technical Guidelines Development Committee (TGDC), 
and the National Institute of Standards and Technology (NIST), work together to develop 
voluntary testing standards. 

History of Voting System Standards and Guidelines 

The first set of national voting system standards (VSS) was created in 1990 by the 
Federal Election Commission (FEC). In 2002, FEC updated the standards and HAVA 
mandated that EAC develop a new iteration of the standards — which would be known as 
the Voluntary Voting System Guidelines (WSG ) — to address advancements in 
information security and computer technologies as well as improve usability. 

HAVA mandated a 9-month period for the TGDC to develop the initial set of WSG. The 
TGDC, working with NIST, technology experts, accessibility experts, and election 
officials, completed the first draft and delivered it to EAC in May 2005. In addition to 
providing technical support to the TGDC, NIST also reviewed the 2002 Voting System 
Standards (2002 VSS) to identify issues to be addressed in the 2005 guidelines, drafted 
core functional requirements, categorized requirements into related groups of 
functionality, identified security gaps, provided recommendations for implementing a 
voter-verifiable paper audit trail, and provided usability requirements. NIST also updated 
the WSG’s conformance clause and glossary. 

On December 13, 2005, EAC adopted the first iteration of the Voluntary Voting System 
Standards (WSG) . Before the adoption of the WSG, EAC conducted a thorough and 
transparent public comment process. After conducting an initial review of the draft 
WSG, EAC released the two-volume proposed guidelines for public comment for a 
period of 90 days; during this period, EAC received more than 6,000 comments. Each 
comment was reviewed and considered before the document was finalized and adopted. 
The agency also held public hearings about the WSG in New York City, NY, Pasadena, 
CA, and Denver, CO. 

The WSG was an initial update to the 2002 Voting System Standards focusing primarily 
on improving the standards for accessibility, usability and security. The WSG also 
establishes the testing methods for assessing whether a voting system meets the 
guidelines. In many areas, these guidelines provide more information and guidance than 
HAVA. For example, these testing guidelines incorporated standards for reviewing 


This information is property of the U.S. Election Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p), (202) 566-3127 (f). www.eac.gov 
Page 4 



22 



U.S. Election Assistanc Commission 

T stimony b fore th U.S. Hous Committe on v flight and ov rnm nt R foim 
Subcommitt on Infonmati n Policy, C nsus and National Archives 
April 18, 2007 


voting systems equipped with voter verifiable paper audit trails (VVPAT) in recognition 
of the many States that now require this technology. Likewise, in the area of 
accessibility, the guidelines require that if the WPAT is used as the official ballot, the 
paper record be made accessible to persons with disabilities, including persons with 
visual impairments or disabilities. Volume 1 of the WSG, Voting System Performance 
Guidelines, includes new voluntary requirements for accessibility, usability, voting 
system software distribution, system setup validation, and wireless communications. It 
provides an overview of the voluntary requirements for independent verification systems, 
including voluntary requirements for a voter-verified paper audit trail for States that 
require this feature for their voting systems. Volume I also includes the requirement that 
all voting system vendors submit software to a national repository, which will allow local 
election officials to make sure the voting system software that they purchase is the same 
software that was certified. 

Volume II of the WSG, National Certification Testing Guidelines, describes the 
components of the national certification testing process for voting systems, which will be 
performed by independent voting system test labs accredited by EAC. EAC is mandated 
by HAVA to develop a national program to accredit test laboratories and certify, 
decertify, and recertify voting systems. The WSG and the comments received from the 
public about the guidelines are available at www.eac.gov . 

The Future of the Voluntary Voting System Guidelines 

Significant work remains to be done to fully develop a comprehensive set of guidelines 
and testing methods for assessing voting systems and to ensure that they keep pace with 
technological advances. TGDC and NIST have been working since the development of 
the initial iteration of the WSG in 2005 to revise that version and to completely review 
and update the 2002 Voting System Standards that were developed by the EEC. EAC 
expects to receive a draft of this document from NIST in July 2007. 

In addition to this work, NIST is working to develop a uniform set of test methods that 
can be applied to the testing of voting equipment. Currently, accredited laboratories 
develop their own test methods to test voting equipment. After the completion of these 
uniform test methods, every accredited lab will use the same test to determine if a voting 
system conforms to the WSG. This is a long and arduous process as test methods must 
be developed for each type and make of voting system. Work is beginning in 2007 on 
these methods, but will likely take several years to complete. 

Voting system testing and certification and laboratory accreditation program 

Accreditation of Voting System Testing Laboratories 

HAVA Section 23 1 requires EAC and NIST to develop a national program for 
accrediting voting system testing laboratories. The National Voluntary Laboratory 


This information is property of the U.S. Election Assistance Commission, 
1225 New Vb/ik Avenue, NW, Suite 1100, Washington, DC 20005 
{202) 566-3100 (p), (202) 566-3127 (0, www.eac.gov 
Page 5 



23 



U.S. El ction Assistan e Commission 

T stimony b for th U.S. Hous Committ on v rsisht and v rnm nt R form 
Sub ommitt on information Policy, C nsus and National Archiv s 
April 18, 2007 


Accreditation Program (NVLAP) of NIST provides for the initial screening and 
evaluation of testing laboratories and will perform periodic re-evaluation to verify that 
the labs continue to meet the accreditation criteria. When NIST has determined that a lab 
is competent to test systems, the NIST director recommends to EAC that a lab be 
accredited. EAC then makes the determination to accredit the lab. EAC issues an 
accreditation certificate to approved labs, maintains a register of accredited labs and posts 
this information on its website. 

In July 2005, NVLAP advertised for the first class of testing laboratories to be reviewed 
under the NVLAP program and accredited by EAC. Five laboratories have applied for 
the accreditation program. Pre-assessments of these laboratories began in April 2006. 

Because testing of voting systems could not be delayed, there had to be an interim review 
and accreditation of laboratories. At a public meeting in August 2005 held in Denver, the 
commissioners received a staff recommendation outlining the details of the interim 
accreditation program. The staff recommendation included a process in which the three 
laboratories previously accredited by NASED - CIBER, SysTest Labs, and Wyle 
Laboratories - would be allowed to apply for interim accreditation. In late 2005, EAC 
invited laboratories that were accredited through the National Association of State 
Election Directors (NASED) program as Independent Testing Authorities (ITAs) to apply 
for interim accreditation. All three ITAs applied for interim accreditation. Interim 
accreditation reviews by EAC contractors began in the spring 2006. Two of the ITAs 
were accredited on an interim basis. One laboratory is still under consideration for 
accreditation in the interim program. However, on February 8, 2007, EAC voted to 
terminate the interim laboratory accreditation program as EAC has received a 
recommendation from NIST regarding the accreditation of two laboratories that had 
undergone review through NVLAP. 

On January 18, 2007, EAC received recommendations from NIST to accredit two test 
laboratories under EAC’s new Voting System Certification and Laboratory Accreditation 
Program. NIST recommended that EAC accredit iBeta Quality Assurance and SysTest 
Labs to test voting systems against both the 2002 Voting System Standards and the 2005 
Voluntary Voting System Guidelines. EAC conducted additional review of the 
recommended labs to address non-technical issues such as conflict of interest policies, 
organizational structure, and recordkeeping protocols. On February 21, 2007, EAC voted 
at a public meeting to accredit these two laboratories under its Voting System 
Certification and Laboratory Accreditation Program. 

Voting System Certification 

In 2007, EAC assumed the responsibility of certifying voting systems according to 
national testing guidelines. Previously, the National Association of State Election 
Directors (NASED) qualified voting systems to both the 1990 and 2002 Voting System 


This information is property of the U.S. Election Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (0, www.eac.gov 
Pages 



24 



U.S. Ei ction Ji^sistanc Commission 

T stimony b for th U.S. Hous Committ n Ov rsigtit and ov rnm nt R form 
Sub ommitte on Information Pcdicy, Census and Natl nal Archives 
April 18, 2007 


Standards. EAC’s certification process constitutes the Federal government’s first efforts 
to standardize the voting system industry. 

In July 2006, EAC implemented its pre-election certification program, which only 
focused on reviewing changes or modifications that were necessary for modifications to 
systems that would be used during the November 2006 elections. Three modifications 
were reviewed and approved under the pre-election program. Those modifications were 
approved only conditionally. The condition was that the authorization for the 
modification expired after the 2006 election. After that, no modification will be 
considered unless the entire system has already received an EAC certification. 

In October 2006, EAC published for public comment its post-election certification 
program. This program encompasses an expanded and detailed review of voting systems, 
utilizing accredited laboratories and technical reviewers. At a public meeting on 
December 7, 2006, EAC adopted its Voting System Certification Program, which became 
effective on January 1, 2007. Since that time, nine manufacturers have registered to 
participate in the EAC program. The registration process is antecedent and required prior 
to a manufacturer submitting a system for testing. Currently, nine manufacturers are 
registered with EAC. A list of registered manufacturers is available at www.eac.gov . 

Once the manufacturer is registered, it may submit systems for testing to an EAC- 
accredited testing laboratory. Reports from that laboratory’s assessment are provided to 
EAC for review and action. The reports are reviewed by EAC technical reviewers. If the 
report is in order and the system is in conformance with the applicable voting system 
standards or guidelines, the technical reviewers will recommend that EAC grant the 
system certification. EAC’s executive director will consider the recommendation and 
make the final decision regarding certification. Once certified, a system may bear an 
EAC certification sticker and may be marketed as having obtained EAC certification. 

The EAC’s certification process include assessment of quality control, field monitoring, 
decertification of voting systems, and enhanced public access to certification information. 
For more information concerning EAC’s Voting System Testing and Certification 
Program, see the program manual for this program, which is available on the EAC Web 
site, www.eac.gov . 

Federal Process Adds Transparency and Accountability 

The implementation of EAC’s Laboratory Accreditation Program and Voting System 
Testing and Certification Program mark the first time that the Federal government has 
funded and tested both laboratories and voting systems. Both of these processes were 
previously conducted by NASED in a collaborative and voluntary effort. The Federal 
government’s involvement in these processes will shed light on the rigorous process that 
ensures that our nation’s voting systems are accurate, reliable and ready for service in any 
election. Unlike our predecessors, EAC is obligated to conduct accreditation and 
certification processes that are open and that share information about the results of those 


This information is property of the U.S. Election Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 500-3127 (f), www.eac.gov 
Page 7 



25 



U.S. El ction Assistan e C mmisslon 

T stimony b f r th U.S. Hous Committ on v rsight and v rnment R form 
Subcommitte on information PoUcy, C nsus and National Archiv s 
April 18, 2007 


tests with the public. BAC has developed its programs with the knowledge that public 
confidence is critical to the election process and that public confidence comes from 
public knowledge and understanding of the process. Information about EAC accredited 
laboratories is available on EAC’s Web site, www.eac.aov . Similarly, information about 
EAC’s testing and certification program and any systems that have been tested through 
that program also will be available on the EAC Web site. 

State voting system testing 

The requirements that States place on the type of voting equipment that can be used in 
each State are very important to implementing accurate and reliable voting systems. 
EAC’s Voluntary Voting System Guidelines and its testing and certification program are 
voluntary. These programs were established in HAVA to allow States to voluntarily 
adopt the programs and thereby make those programs mandatory in the States that adopt 
them. Thus, it is State action that requires this important testing and certification process. 

In addition to adopting the ITiSG and testing and certification requirements, many States 
implement another layer of protection and voting integrity. Many States have their own 
testing and certification processes that they pair with the Federal (previously National) 
testing and certification process. The degree of intensity of these programs varies. Some 
test only to additional State requirements, while others essentially re-test to the same 
standards that were required under the Federal or National testing and certification 
program. 

In addition to this type of testing and certification. States also conduct acceptance testing 
on voting systems when they are received Ifom the manufacturer. This testing should 
determine that the voting system functions properly and that it has been configured in the 
way that the State requested through its purchase contract. Last, but certainly not least, 
States and local governments also conduct logic and accuracy testing on voting 
equipment prior to each election. In this testing, the voting system is loaded with the 
actual ballot and a test is performed to determine that the system is accurately recording 
votes on that ballot. This test is conducted using a controlled sample of votes, often times 
referred to as a “test deck.” While test deck technically refers to a deck of optical scan or 
other paper ballots, the same concept applies to testing direct record electronic (DRE) 
voting systems by using a known series of votes. 

Implementing Accurate and Reliable Voting Systems 

In our opinion, a State or local government can ensure the accuracy and reliability of their 
voting systems by choosing to require the following processes that we have discussed. 
First, only use systems that have been tested and certified as meeting the requirements of 
HAVA and the applicable voting system standards or guidelines. Second, require that the 
manufacturer keep pace with changing technology and standards. Include in contract 


This information is property of the U.S. ElerAion Assistance Commission, 
1225 New York Avenue, NW. Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127(0, www.eac.gov 
Pages 



26 



U.S. El ctlon Assistance Commission 

T stimony b fore th U.S. Hous C mmitt on v rsight and Gov mm nt Reform 
Subcommitt on Infomnation Policy, Census and Natl nal Archiv s 
April 18, 2007 


terms provisions that require manufacturers to upgrade systems at a reasonable price. 
Third, to add another level of scrutiny. States should implement their own voting system 
testing and certification procedures. Even if it is only for those requirements that are 
unique to the State, the State should assure that the system can perform as desired. 

Fourth, conduct rigorous and independent acceptance testing. States and local 
governments should conduct their own testing, if necessary with the assistance of a third 
party technical advisor, to ensure that the acceptance testing process is independent. 
Acceptance tests should also be rigorous and put the equipment through the type of work 
that it is intended to perform in an election environment. If the equipment does not 
perform properly it should be rejected. Last, conduct logic and accuracy testing on every 
piece of voting equipment that is to be used in the election. All systems must be checked 
to assure that they are accurately counting votes. Where discrepancies arise, the system, 
programming, and paper and printing (where paper is used) should be checked and the 
problem resolved before the voting equipment is placed in service for the election. 

While we state these suggested requirements emphatically, EAC wants to assure that it is 
clear that many States and local election jurisdictions have already implemented each and 
every one of these steps to ensure that their elections are conducted accurately and 
reliably. This commitment to detail by the nation’s election officials is why exit polls 
showed that 88 percent of voters were reported to have confidence that their votes were 
counted accurately. Continued vigilance in this and other areas impacting election 
integrity will help to improve confidence in a process that already enjoys overwhelming 
success. 


THE VOTING PROCESS 

Once a State or local election jurisdiction has purchased a new voting system, there is 
still a great deal of work to be done to assure that elections are conducted properly. 
Purchasing the right system is in many ways the easy part. Using it properly takes time, 
planning, and persistent attention to detail. 

Election officials must keep in mind that in order to successfully compromise a voting 
system during an election, a person must have knowledge of the system and access to the 
system while the election is taking place - a scenario that applies to ballot boxes or e- 
voting machines. Any discussion or policy about implementing a secure voting system 
must examine all aspects of the voting process. The bottom line is that real security for 
any type of voting system - electronic or paper-based - comes from systematic 
preparation. State officials should ensure that they; 

• Prepare systems to prevent tampering; 

• Prepare people to detect tampering; 

• Prepare poll workers and law enforcement to react to tampering; and 

• Prepare election officials to recover by auditing and investigating tampering. 


This information is property of^e U.S. Election Assistance Commission, 
1225 New York Avenue, NW, Suite 1 100, Washington. DC 20005 
(202) 566-3100 (p), (202) 566-3127 (f). www.eac.gov 
Page 9 




27 



U.S. El ction Assistanc C mmisslon 

T stimony before th U.S. Hous C mmitt e on v rsight and ov rnm nt R form 
Subcommitt on Information Policy, Census and National Archiv s 
April 18, 2007 


These fundamental election administration processes to protect the entire voting process 
will always be important, even as voting technology evolves. Focusing solely on the 
reliability of voting systems is not enough, and a Federal certification for the system 
cannot take the place of solid, thorough management procedures at the State and local 
levels to ensure the system is managed, tested, and operated properly. Achieving 
accurate and reliable election results will always be the combination of thorough testing 
of the equipment at multiple levels, training and resources for election officials and poll 
workers, and through election management guidelines for every aspect of election 
administration. 

Management Guidelines 

EAC is working to assist States and local election jurisdictions with identifying and 
managing all of the details surrounding the successful administration of elections. In 
2005, EAC began work on a comprehensive set of management guidelines, collaborating 
with a group of experienced State and local election officials to provide subject matter 
expertise and to help develop the guidelines. The project focuses on developing 
procedures related to the use of voting equipment and procedures for all other aspects of 
the election administration process. These publications are intended to be a companion to 
the WSG and assist States and local election jurisdictions with the appropriate 
implementation and management of their voting systems. The first set of election 
management guidelines will be completed in FY 2007; they will be available to all 
election officials to incorporate these procedures at the State and local levels. 

Four Quick Start Guides were distributed to election officials prior to the 2006 election. 
These guides are summaries of more extensive chapters of the Management Guidelines 
that will be released this year. The guides were sent to election officials throughout the 
nation and covered topics such as introducing a new voting system, ballot preparation, 
voting system security, and poll worker training. All Quick Start guides are available at 
www.eac.gov . A brief description of each Quick Start guide is provided below. 


This information is property of tha U.S. Election Assistance Commission, 
1225 New York Avenue, NW. Suite 1100, Washington. DC 20005 
(202) 566-3100 (p), (202) 560-3127 (f), www.eac.gov 
Page 10 



28 



U.S. Election Assistanc Commission 

Testimony b fore th U.S. House Commit! on Ov rsight and ov rnm nt Ref rm 
Subcommitt e on Information Poll y, Census and National Arebiv s 
April 16, 2007 


Quick Start Guide for New Voting Systems 




The guide provides a snapshot of processes and procedures 
election officials should use when introducing a new voting 
system. It covers receiving and testing of equipment; 
implementation tips, such as conducting a mock election 
and developing contingency plans; and programming. The 
guide also offers Election Day management strategies, 
including opening the polls, processing voters, and closing 
the polls. 


Quick Start Guide for Ballot Preparation/ Printing and Pre-Election Testing 



fSi 



Ballot preparation and logic and accuracy testing are 
essential steps to ensure Election Day runs smoothly. 
The guide offers tips on preparing and printing ballots, 
which includes confirming that ballots conform to all 
applicable State laws as well as requiring a multilayered 
ballot proofing process at each stage of the design and 
production process. The guide also covers pre-election 
testing for hardware and software logic and accuracy. 


This information is property of the U.S. Be<^on Assistance Commission, 
1225 New York Avenue, NW. Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (f). www.eac.gov 
Page 1 1 




29 



U.S. ElTOtion Assistance Commission 

T stimony b fore th U.S. Hous Committ on Ov rsight and ov mm nt R form 
Subcommiti on Information Poli y, C nsus and Naticmaf Archives 
April 18, 2007 


Quick Start Guide for Voting System Security 




The introduction of new equipment also ushered in concerns 
regarding voting system security. To address some of those 
concerns and to help election officials implement effective 
management procedures, the guide highlights priority items 
essential to securing these systems. It addresses software 
security, advising officials to be sure that the software 
installed on the systems is the exact version that has been 
certified. The guide advises officials to not install any 
software other than the voting system software on the vote 
tabulating computer; to verify that the voting system is not 
connected to any network outside the control of the election 
office; and to consider any results transmitted electronically to 
be unofficial and verify them against results contained on the 
media that are physically transported to the central office. 

Also included in the guide are recommendations regarding 
password maintenance, physical security, personnel security, 
and procedures to secure the equipment. 



Quick Start Guide for Poll Workers 


One of the most challenging tasks for 
election officials is recruiting and training 
poll workers. The guide contains 
information about identifying potential 
poll workers, effective training programs 
and techniques, as well as procedures to 
implement on Election Day. 


A full range of Management Guideline documents will be developed to cover topics 
related to election administration, including: 

o Pre-Election Testing 


This information is property of the U.S. BecUon Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (f), www.eac.gov 
P^e 12 




30 



U.S. Ei ction Assistanc Commission 

T stimony before th U.S. Hous Committ on v rsight and ov rnm nt R form 
Subcommitt on informati n Policy, C nsus and National Archiv s 
April 18, 2007 


o Ballot Design 
o Contingency/Disaster Planning 
o Vote by Mail/ Absentee Voting 
o Military/Overseas Voting 
o Polling Place/Vote Center Management 

In addition, new Quick Start guides are plaimed for 2007, including guides on the 
following topics: 

o Change Management 
o Public Relations 
o Contingency/Disaster Planning 
o Certification 
o Developing an Audit Trail 

Proper management of elections is key to conducting a reliable, accurate, open and 
accessible election. Buying state of the art voting equipment with the latest security 
features is meaningless unless the door to the storehouse where the voting systems are 
kept is secured and locked. Similarly, equipment used to program voting systems should 
never be connected to the Internet. It is EAC’s goal to communicate these suggestions 
and requirements to the election officials to help them increase the security and accuracy 
of their voting equipment by their practices and procedures. 

Review of voting system operation 

Good election management and administration includes a review of the voting system 
operation before, during and after the election. Whether using a recount, audit or parallel 
testing, it is critical to take steps to make sure that voting equipment performed properly 
and calculated votes properly. 

Recounts and Audits 

Recounts are a common method for reviewing the performance of voting equipment. 
Many States have laws that require recounts when certain conditions exist, such as a 
close race. Others have mandatory recounts of a certain percentage of ballots after every 
election regardless of the outcome. Some States refer to automatic recounts as audits. 
Regardless of whether it is an audit or a recount, the review of an election should be 
conducted with as much care as the election. 

Whether optical scan or electronic, all voting systems produce a form of paper record that 
can be audited or recounted, a requirement of HAVA. Optical scan systems, obviously, 
use the paper ballots as the paper record that can be audited or recounted. Conversely, 
direct record electronic systems can use one of two paper sources for recounting or 


This information is property of the U.S. Election Assistance Commission, 
1225 New York Avenue, NW, Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (f), www.eac.gov 
Page 13 



31 



U.S. Ei ction Assistanc Commission 

T stimony b fore th U.S. Hous Committ on versigbt and v rnment R f rm 
Subcommitte on Information P licy, C nsus and National Archives 
April 18, 2007 


auditing the election. Every DRE is required to produce a paper record suitable for 
auditing that shows every vote that was cast on the voting system. This record is 
produced in a randomized order to avoid association with a voter and is obtained from the 
internal memory of the DRE. Some DREs also have the ability to produce a voter 
verifiable paper audit trail (VVPAT). This paper record is produced from the computer’s 
internal memory but is generated contemporaneously prior to the voter casting his/her 
ballot. It is verifiable by the voter; meaning that the voter can verify that the computer 
generated image on the screen is the same as the computer generated print out. 

It is critical in a recount or audit situation to assure that the quality of the paper record is 
considered. With paper ballots, there may be a question of the intent of the voter if the 
ballot is not marked according to the ballot instructions. Similarly, because VVPATs are 
contemporaneously recorded, there can be paper jams, a lack of ink or other printer 
problems that result in the degradation of the paper record. The State or local election 
jurisdiction must take these realities into account and provide a means by which problems 
can be solved when they arise during a recount or audit. 

Audits and recounts are frequently conducted on a manual basis. The ballots or paper 
records are hand counted by people. Another reality that must be addressed is that people 
make mistakes. There must be procedures and processes in place to reduce and catch the 
number of human counting errors. 

Parallel testing 

Parallel testing is a relatively new practice in monitoring the accuracy of an election. It is 
done simultaneously with the conduct of the election. Several voting systems are set up 
as “sample systems” and are voted on by election personnel during the course of the 
regularly scheduled election. Some States and local governments conduct parallel testing 
prior to the election. However, the process is the same. The machines are voted with a 
known set of votes, such as using a set of paper ballots from the absentee voting process. 
These votes are entered onto the DRE system and counted. The system is deemed to be 
operating properly if the hand count of the ballots and the computer tally are the same. 

TRANSPARENCY AND ACCOUNTABILITY FOR THE PUBLIC 

Implementing extensive management procedures for the entire election administration 
process is crucial to accurate and secure elections. The public must be informed about 
how elections are conducted to ensure they have confidence in the process, or all efforts 
to achieve election integrity will be lost. 

Most voters are not familiar with the entire election administration process. Their 
interaction is usually limited to Election Day when they show up, in some cases provide 
identification, and are escorted to the booth where they cast their vote on a paper or 


This information is property of the U.S. Efet^ion Assistance Commission, 
1225 New York Avenue, NW. Suite 1100, Washington, DC 20005 
(202) 566-3100 (p). (202) 566-3127 (f). www.eac.gov 
Page 14 



32 



U.S. Election Assistan e Commission 

T stimony b fore th U.S. Hous Committe on versight and ov mment R form 
Subcommitte on Information Policy, C nsus and National Archives 
April 18, 2007 


electronic system. The public is not engaged in the “behind the scenes” work that goes 
on to make the election that they are participating in run smoothly. They have not been 
involved in the months of planning that go into a smooth election. They never see the 
processes that are involved such as: 

o qualifying candidates, 
o laying out ballots, 
o programming voting equipment, 
o checking and double checking the ballots, 

o training poll workers on the various election laws and voters rights, as well as the 
intricacies of how the voting equipment works, 
o delivering the voting equipment, 
o tabulating the results, 
o reporting the results, 
o recounting or auditing, and 
o certifying the final totals. 

Good and efficient election administration requires election officials to educate the public 
about the election process. One easy way to do that is for election officials to provide the 
public access to the process. Officials can make processes such as voting system set up, 
logic and accuracy testing, vote tabulation and recounts open to the public. This way the 
public can learn about the process while it is ongoing. 

Another means is to provide educational materials to the media, government agencies, 
and to organizations that educate the public about voting. When implementing a new 
voting system it is critical to get information to the public about the new systems and how 
they work. In 2006, EAC distributed a Voter's Guide to Election Day for the public to 
provide information about election processes. The guide included information about: 

o registering to vote, 
o polling place information, 
o absentee and early voting, 
o provisional voting, 
o voting systems, 
o poll workers, and 
o Election Day procedures. 

This guide was generalized in order to be applicable to all 50 States, the District of 
Columbia and the four territories in terms of the way in which they conduct elections. 

The guide can also be used by States and local governments to develop similar, more 
specific pieces geared toward the way that elections are conducted in their jurisdiction, 
including localized information about registration and voting procedures, as well as the 
type of voting equipment that is used there. 


This information is property of the U.S. Election Assistance Commission. 
1225 New York Avenue, NW, Suite 1 100, Washington, DC 20005 
(202) 566-3100 (p), (202) 566-3127 (f). www.eac.gov 
Page 15 



33 



U.S. El ction Assistanc Commissi n 

T stimony b for th U.S. Hous Committ on v rsight and ov rnment R form 
Subcommitte on information Policy, C nsus and National Archives 
April 18, 2007 


EAC is also conducting a 2006 Voting Administration and Election Survey, which will 
include data from each State about registration, provisional voting, voting system usage 
and other election data sets to inform the public about how, where, and when we vote. 

CONCLUSION 

Elections are a complex equation of people, equipment and processes. All three pieces 
work together to ensure a successful, accurate and reliable election. HAVA was careful 
to address them all. Future work in elections must consider all aspects of election 
administration in order to result in increased confidence in the election process. 

EAC appreciates the opportunity to provide this testimony. If you have any questions, I 
will be happy to address them. 


This information is property of the U.S. Bection Assistance Commission, 
1225 New York Avenue, NW, Sum 1100, Washington, DC 20005 
(202) 566-3100 (p), (202) 566-3127 (f), www.eac.gov 
Page 16 




34 


Mr. Clay. Thank you so much for your testimony, Ms. Hillman. 

Mr. Hite, you may proceed. Would you summarize your testi- 
mony for us within 5 minutes? 

STATEMENT OF RANDOLPH HITE 

Mr. Hite. Yes, sir. 

Thank you. Chairman Clay. 

In the wake of the 2000 and 2004 elections, GAO looked at the 
national election process end to end, focusing on all aspects of it, 
including the use of electronic voting systems. Our most recent re- 
ports cast considerable light on the challenges associated with 
these systems, so my testimony today draws from those reports and 
I will summarize it hy making five points. 

Point one, although voting systems play a major role in elections, 
they are but one facet of a highly complex and decentralized elec- 
tion environment that depends on the effective interplay of people, 
processes and technology. As such, when I think of a “voting sys- 
tem” I think of not only the hardware and software, but also the 
persons who interact with them and the rules that govern this 
interaction. 

Point two, although security and reliability have arguably taken 
center stage in the debate surrounding electronic voting systems, 
other performance characteristics such as ease of use and cost 
should not be overlooked. For example, certain DREs have been 
found to have security vulnerabilities that can be exploited, such 
as unencrypted files and no or easily guessed passwords, and some 
lack a paper record. 

At the same time, DREs can be more accommodating to voters 
with disabilities, and they can protect against common voter errors 
such as over-voting. 

On the other hand, optical scan voting systems, particularly cen- 
tral count systems, have a lower capital cost than DREs and they 
offer a paper record. However, they can be more challenging for 
voters with certain types of disabilities, and they can create paper 
nightmares for jurisdictions that have to accommodate multiple 
languages. 

Point three, voting system security and reliability is a function 
of how well each phase in the voting system life cycle is managed 
at all levels of government. Simply stated, the system life cycle be- 
gins with defining the standards that a system is to meet. It is fol- 
lowed by vendor development and associated vendor and govern- 
ment testing to ensure that the standards are met. It ends with 
government acquisition and operation and maintenance of the ven- 
dor systems. How well each of these phases is executed will largely 
dictate how securely and reliably the system performs on election 
day. 

Since the 2004 elections, a range of concerns have been voiced 
about the extent to which the activities associated with each of 
these life cycle phases are being performed by all levels of govern- 
ment and the system manufacturers. 

Point four, given the highly decentralized nature of elections. 
States and local jurisdictions play huge roles in the life cycle man- 
agement of voting systems. However, they have not always ensured 
that important voting system management practices are employed. 



35 


Relative to the 2004 elections, we surveyed the 50 States and the 
District of Columbia, a sample of 788 local voting jurisdictions, and 
we visited 28 jurisdictions. According to the responses we received, 
outdated systems standards were sometimes being adopted and ap- 
plied; certain types of testing were widely performed, while others 
were rarely performed; security management practices ranged from 
rigorous to ad hoc; and the nature and type of security controls ran 
the gamut. 

Point five, the challenges associated with ensuring that electronic 
voting systems operate securely and reliably during an election are 
many and profound, but they are not like the challenges related to 
relying on technology to support any mission-critical government 
operation. However, the highly diffused and decentralized nature of 
elections, in my opinion, makes these challenges more formidable, 
as it requires the combined efforts of all levels of government. 

HAVA established the EAC and assigned it certain responsibil- 
ities relative to these efforts. We have made recommendations to 
assist the EAC in this regard, which it agreed with. In general, 
these recommendations focused on introducing greater trans- 
parency and accountability into the EAC’s activities by having 
them develop plans for each of its areas of responsibility, that is, 
plans that defined what actions will be done, when, at what cost, 
to what end, and what outcomes will be achieved. 

To the EAC’s credit, it has continued taking important action 
since our recommendations aimed at meetings its HAVA respon- 
sibilities. However, we have yet to see the kind of strategic plan- 
ning that our recommendations envisioned. 

This concludes my statement. I would be happy to answer any 
questions that you have. 

[The prepared statement of Mr. Hite follows:] 



36 


GAO 

United States Government Accountability Office 

Testimony 

Before the Subcommittee on Information 
PoMcy, Census, and National Archives, 
House Committee on Oversight and 
Government Reform 

For Release on Delivery 

Expected at 2:00 p.m. EDT 
Wednesday, April 18, 2007 

ELECTIONS 

All Levels of Government 
Are Needed to Address 
Electronic Voting System 
Challenges 


Statement of Randolph C. Hite, Director 

Information Technology Architecture and Systems 


i 

^ G A 0 

Accountability * Integrity * Rellabiilty 


GAO-07-741T 






37 


Hi ghli ghts 


Highlights of GAO-07-741T. a r^il to the 
SubctMTimtttee on Information Policy, 
Census, aid National Ani^iv^, 

Committee on Oversigitt and Qotfemment 
Reform, House of Represematives 


ELECTIONS 

All Levels of Government Are Needed to 
Address Electronic Voting System 
Challenges 


Why GAO Did This Study What GAO Found 


Since the 2000 national elections, 
concerns have been r^ed by 
various groups regarding the 
election process, including voting 
technologies. Beginning in 2001, 
GAO published a series of reports 
examining virtually every aspect of 
the elections process. GAO’s 
complement of reports was used by 
Congress in framing the Help 
America Vote Act of 2002, which, 
among other things, provided for 
replacement of older voting 
equipment with moi« modem 
electronic voting systems and 
established the Election Assistance 
Commission (EAC) to lead the 
nation’s election reform efforts. 
GAO’s later reports have raised 
concerns about the security and 
reliability of these electronic voting 
systems, examined the EAC’s 
efforts to address these concerns, 
and surveyed state and local 
officials about practices used 
during the 2004 election, as well as 
plans for their systems for the 2006 
election. 


Voting systems are one facet of a multifaceted, year-round elections process 
that involves the interplay of people, processes, and technology, and 
includes all levels of government How well these systems play their role in 
an election depends in large part on how well they are managed throughout 
their life cycles, which be^ns with defining system standards; includes 
system design, development and testing; and concludes with system 
operations. Important attributes of the systems’ performance are security, 
reliability, ease of use, and cost effectiveness. 

A range of groups knowledgeable about elections or voting systems have 
expressed concerns about the security and reli^Uity of electronic voting 
systems; these concerns can be associated with stages in the system life 
cycle. Examples of concerns include vague or incomplete voting ^stem 
standards, system design flaws, poorly developed security control, 
incorrect system configurations, inadequate testing, and poor overall 
security management. 

For the 2004 national elections, states’ and local governments’ responses to 
our surveys showed that they did not dways ensure that important life cycle 
and security management practices were employed for their respective 
electronic voting systems. In particular, responses indicated that the most 
current standards were not always adopted and applied, security 
management practices and controls were employed to varying degrees, and 
certain types of system testing were not commonly performed. Moreover, 
jurisdictions’ responses showed that they did not consistently monitor the 
performance of their systems. 


Using its published work on 
electronic voting systems, GAO 
was asked to testify on (1) the 
contextual roie and characteristics 
of electronic voting sj^ms, (2) 
U\e range of seciuity and reliability 
concerns that have been reported 
about these systems, (3) the 
experiences and nmiagement 
pr^tices of states and local 
Jurisdictions regarding these 
systems, and (4) the longstanding 
and emerging chaUenges facing all 
levels of government in using these 
sj^tems. 


www.gao.gov/cgt-bin/getrpt7GAO-07-741T. 

To view the full product, including the scope 
and methodoic^, click on the link above. 
For more information, contact Randolph C. 
Hite at (202) 512-3439 or hiter@gao.gov. 


In GAO’s view, the challenges faced in acqmring and operating electronic 
voting systems not unlike those faced by any technology user — adoption 
and application of well-riefined system standards; effective integrafion of the 
technology with the people who operate it and the processes that govern the 
operation; rigorous and disciplined performance of system security and 
testing activities; reliable measurement of system performance; and the 
analytical basis for making informed, economically justified decisions about 
voting system invesunent options. These chaUenges are complicated by 
other conditions such as the distribution of responsibilities among various 
organizations and funding opportunities and constraints. Given the diffused 
and decentralized allocation of voting system roles and responsibilities 
across all levels of government, addressing these challenges will require the 
combined efforts of all levels of government, under the leadership of the 
EAC. To assist the EAC in executing its leadership role, GAO has previously 
made recommendations to the commission aimed at better planning its 
ongoing and future activities relative to, for example, system standards and 
information sharing. While the EAC agreed with the recommendations, it 
stated that its ability to effectively execute its role is construed by a lack of 
adequate resources. 


.United States Government Accountebiiity Office 


Abbreviations 


COTS commercial off-the-shelf 

DRE direct recording electronic 

EAC Election Assistance Commission 

FEC Federal Election Commission 

GSA General Services Administration 

HAVA Help America Vote Act of 2002 

NIST National Institute of Standards and Technology 






39 


April 18, 2007 

Mr. Chairman and Members of the Subcommittee: 

I appreciate the opportunity to participate in today’s hearing on our 
nation’s election system. As requested, my testimony will focus on 
our recent work on the security and reliability of electronic voting 
systems,' including the national certification and accreditation 
programs related to these systems and other efforts of the Election 
A^istance Commission (EAC). 

During the 2000 national elections, concerns were raised about 
“hanging chads” and “butterfly ballots.” In the 2004 and 2006 
elections, concerns shifted to “software bugs” and “voter verifiable 
paper trails.” In light of these and other election concerns, we 
produced a series of reports between 2001 and 2006 in which we 
examined virtually every aspect of the election process, including 
types of voting technology. We reported that the particular 
technology used to cast and coimt votes is a critical part of how 
elections are conducted, but it is only one facet of a multifaceted 
election process that involves the interplay of people, processes, 
and technology. Accordingly, we have long held the position that no 
voting technology, however well designed, can be a magic bullet 
that will solve all election problems. 

My testimony today addresses four perspectives on the voting 
system environment: (1) the contextual role and characteristics of 
electronic voting systems, (2) the range of security and reliability 
concerns that have been reported about these systems, (3) the 
experiences and management practices of states and local 
jurisdictions regarding these systems, and (4) longstanding and 
emerging intergovernmental challenges in using these systems. 

In preparing this testimony, we drew extensively from our published 
work on the election process.* In addition, we reviewed recent 


‘In this testimony, the term electronic voting system is used generically to refer to 
both optical scan systems and direct recording electronic systems, both of which 
depend on elecbronic technology. Each type of system is described more fully in 
the background section of this testimony. 

^ For example, GAO, E/ecUons: The Nation 's Evolving Election System as 
Reflected in the November 2004 General Election, GAO-0&450 (Washington, D.C.: 
June 6, 2(K)6); Elections: Federal Efforts to Improve Security and Reliability of 
Electronic Voting Systems Are Under Way, but Key Activities Need to Be 


Page 




The challenges confronting all levels of government in acquiring and 
operating voting systems for future elections are not unlike those 
faced by any technology user: adoption and consistent application 
of standards for system capabilities and performance; successful 
management and integration of the people, process, and technology 
components; rigorous and disciplined performance of testing and 
security activities; reliable measurement to determine whether the 
systems are performing as intended; and an analytical and 
economically justified basis for making informed decisions about 
voting system investment options. These challenges are heightened 
by other conditions common to both the national elections 
community and other information technology environments: the 
distribution of responsibilities among various organizations, 
technology changes, funding opportunities and constraints, 
emerging requirements and guidance, and public attention. 

Given the diffused and decentralized allocation of voting system 
rotes and responsibilities across all levels of government, addressing 
these challenges will require the combined efforts of all levels of 
government, under the leadership of the EAC. To assist the EAC in 
executing its leadership role, we previously made recommendations 
to the commission aimed at better plarming its ongoing and future 
activities relative to, for example, system standards and information 
sharing While the ElAC agreed with the recommendations, it told us 
that its ability to effectively execute its role is constrained by a lack 
of resources. In our view, the adequacy of resources at its disposal 
and the degree of cooperation it receives from entities spanning all 
levels of government are critical elements in the commission’s 
ability to perform its leadership role. 


Background 

Following the 2000 national elections, we produced a 
comprehensive series of reports covering our nation’s election 
process that culminated with a capping report and framework for 
Congress to use to enact reforms for election administration.’ Our 
reports were among the resources that Congress drew on in 


’See, for example, GAO, Elections: A Fiawework for Evaluating Beform 
Proposals, GAOhZhO (Washington, D.C.: Oct. 15, 2001). 




41 


• testing, certifting, decertifying, and recertifying voting system 
hardware and software through accredited laboratories; 

• making payments to states to help them improve elections in the 
areas of voting systems standards, provisional voting and voting 
information requirements, and computerized statewide voter 
registration lists; and 

• making grants for research on voting technology improvements. 


The act also established the Technical Guidelines Development 
Committee to support the EAC, making it responsible for 
recommending voluntary voting system guidelines to the EAC. The 
act assigned the National Institute of Standards and Technology 
(NIST) responsibility for providing technical support to the 
development committee and made the NIST Director the committee 
chair. 

The EAC began operations in January 2004, initially focusing on the 
distribution of funds to help states meet HAVA’s Title III 
requirements for uniform and nondiscriminatory election 
technology and administration, including the act’s requirements 
pertaining to voting system standards, provisional voting, voting 
information, a computerized statewide voter registration list, and 
identification for ftat-time voters who register to vote by mail. 
Actions EAC has taken since 2004 to improve voting systems 
include 

• publishing the Best Practices ToolkltsnA specialized 
management guides to assist states and local jurisdictions with 
managing election-related activities and equipment; 

• issuing voting system standards in 2005, referred to as the 
Voluntary Voting System Guidelines, 

• establishing procedures for certifying voting systems; 

• establishing a program for accreditation of independent testing 
laboratories, with support from NISTs National Voluntary 
Laboratory Accreditation Program; 

• disbursing to states approximately $2.3 billion in appropriations 
for the replacement of older voting equipment and election 
administration improvements under 'Title III of HAVA; and 


Page 5 


GAO-07-741T 




42 


Figur 1: Estimated Percental of Jurisdictions Using Predominant Voting Methods in 2(K)4, by Jurisdiction Size 


of JitristffcStois 
4S 



Pradomiiunt wflNs method 

□ 5ma8 {<10.000> 

[Z] Msdium (tO.QOO-IOO.OOO), 

, EZ] Large <>100.000) 

Source: GAO 30OS survey of tocsti juristliolorar. 

Source: GAO 200S tutvey ot roeal eleelion |i«ied>c»sns. 

Note: Percentages for predominant voting methods within each Jurisdiction size 
may not add to 100 because of rounding. 

"The differences between small jurisdictions and both medium and large 
jurisdictions are statistically significant. 

'The di^erences between both small and medium jurisdictions and large 
jurisdictions are statistically significant. 

The differences between both small and medium jurisdictions and large 
jurisdictions are statistic^diy significant. 

The difference between small jurisdictions and large Jurisdictions is statistically 
significant. 

The differences between small jurisdictions and both medium and large 
jurisdictions are statistically significant. 

Optical Scan Systems 


Optical scan voting systems use electronic technology to tabulate 
paper ballots. For the 2004 general election, we estimated that about 
51 percent of all local jurisdictions used optical scan voting 
equipment predominantly. 


Page 7 




43 


Rgure 2: Prec)nct*Count Optical Scan Tabulator and CentraUCount Optical Scan 
Tabulator 



Sourca: Equipmant vaodon. 


Software instructs the tabulation equipment to assign each vote (i.e., 
to assign valid marks on the ballot to the proper candidate or issue). 
In addition to identifying the particular contests and candidates, the 
software can be configured to capture, for example, straight party 
voting and vote-for-no-more-than-N contests. Precinct-based optical 
scanners can also be programmed to detect overvotes (where the 
voter, for example, votes for two candidates for one office, 
invalidating the vote) and undervotes (where the voter does not vote 
for all contests or issues on the ballot) and to take some action in 
response (rejecting the ballot, for instance), so that voters can fix 
their mistakes before leaving the polling place. If ballots are 
tabulated centrally, voters do not have the opportunity to detect and 
correct mistakes Uiat may have been made. In addition, optical scan 
systems often use vote tally software to tally the vote totals from 
one or more vote tabulation devices. 


Page 9 




44 


Figur 3: DRE Pushbutton and DRE Touch Screen 



Source: iMal eitcOon o8ici^ and equipmatt verxlor. 

Pushbutton and touch screen units differ significantly in the way 
they present ballots to the voter. With the pushbutton type, all ballot 
information is presented on a single “full-face” ballot. For example, 


Page 11 


GAO-07-741T 





45 


means to open polls and to authorize voter access to ballots. For 
instance, smart cards on some DREs store program data on the 
election and are used to help set up the equipment; during setup, 
election workers verily that the card received is for the proper 
election. Other DREs are programmed to automatically activate 
when the voter inserts a smart card; the card brings up the correct 
ballot onto the screen. 

DREs offer various configurations for tallying the votes. Some 
contain removable storage media that can be taken from the voting 
device and transported to a central location to be tallied. Others can 
be configured to electronically transmit the vote totals from the 
polling place to a central tally location. Vote tally software is often 
used to tally the vote totals from one or more units. 

DREs were chosen as the predominant voting method by a relatively 
small overall proportion of local jurisdictions for the 2004 general 
election (7 percent overall). However, as previously shown in figure 
1, large and medium jurisdictions identified DREs as their 
predominant voting method (estimated at 30 percent and 20 percent 
of jurisdictions, respectively) more often than small jurisdictions 
(estimated at 1 percent). DREs were the leading choice among 
voting methods for both large and medium jurisdictions that 
plaimed to acquire voting systems before the 2006 general election 
(an estimated 34 percent of jurisdictions in both size groups). 


Contextual Role and Performance Characteristics of Electronic 
Voting Systems Are Important to Understanding Their Use 

Voting systems are one facet of a multifaceted, continuous elections 
process that involves the interplay of people, processes, and 
technology. All levels of government — federal, state, and local — 
share responsibilities for aspects of elections and voting systems. 
Moreover, effective performance of these systems is a product of 
effective system life cycle management, which includes systems 
definition, development, acquisition, operations, testing, and 
management Such performance can be viewed in terms of several 
characteristics, such as security, reliability, ease of use, and cost 
effectiveness. 


Page 13 


GAO-07-741T 




46 


process so that the details of administering elections are carried out 
at the city or county levels, and voting is done at the local level. This 
is important because local election jurisdictions number more than 
10,000 and their size varies enormously — ^from a rural county with 
about 200 voters to a large urban county such as Los Angeles 
County, where the total number of registered voters for the 2000 
elections exceeded the registered voter totals in 41 states. 

The size and demographics of a voting jurisdiction significantly 
affects the complexity of planning and conducting the election, as 
does the method used to cast and count votes. For example, 
jurisdictions using DRE systems may need to manage the electronic 
transmission of votes or vote counts, while jurisdictions using 
optical scan technology need to manage the transfer of the paper 
ballots this technology reads and tabulates. Jurisdictions using 
optical scan technology may also need to manage electronic 
transmissions if votes are counted at various locations and totals are 
electronically transmitted to a central tally point. No matter what 
technology Is used, jurisdictions may need to provide ballot 
translations; however, the logistics of printing p^er materials in a 
range of languages, as would be required for optical scan 
technology, is different from the logistics of programming 
translations into DRE units. 

Some states do have statewide election systems so that every voting 
jurisdiction uses similar processes and equipment, but others do 
not For instance, we repotted in 2001 that in Peruisylvania, local 
election officials told us that there were 67 counties and 
consequently 67 different ways of handling elections.'” In some 
states, such as Georgia, state law prescribes the use of common 
voting technology throughout the state while in other states, local 
election officials generally choose the votirrg technology to be used 
in their precincts, often from a list of state-certified options. 

Regardless of levels of government, however, election 
administration is a year-round activity, involving varying sets of 
people performing the activities of each stage of the election 
process. These stages generally consist of the following: 


“GAO.02-3, 


Page 15 


GAO-07-741T 




47 


Figure 4: Stages of EkM:tion Process 



SourM; 6AO ontlysis. 

Electronic voting systems are primarily involved in the last three 
stages, during which votes are recorded, cast, and counted. 

However, the type of system that a jurisdiction uses may affect 
earlier stages. For example, in a Jurisdiction that uses optical scan 
systems, paper ballots like those used on Election Day may be 
mailed in the absentee voting stage. On the other hand, a jurisdiction 
that uses DRE technology would have to make a different provision 
for absentee voting. 


Management of Electronic Voting System Performance Is a Continuous Process 

The performance of any information technology system, including 
electronic voting systems, is heavily influenced by a number of 
factors, including how well the system is defined, developed, 
acquired, tested, and implemented. 

Like any information technology product, a voting system starts 
with the explicit definition of what the system is to do and how well 
it is to do it. These requirements are then translated into design 
specifications that are used to develop the system. Electronic voting 
systems are typically developed by vendors and then purchased as 
commercial off-the-shelf (COTS) products and implemented by state 
and local election administrators. During the development. 


Page 17 





48 


choosing a vendor, writing and administering contracts, and testing 
the acquired system. 

Operations. Operation of voting systems is typically the 
responsibility of local jurisdictions. These activities include setting 
up systems before voting, vote capture and counting during 
elections, recounts and system audits after elections, and storage of 
systems between elections. Among other things, this phase includes 
activities associated with the physical environments in which the 
system operates. These include ensuring the physical security of the 
polling place and voting equipment and controlling the chain of 
custody for voting system components and supplies. The operations 
phase also includes monitoring of the election process by use of 
system audit logs and backups, and the collection, analysis, 
reporting, and resolution of election problems. 

Testing. As noted, testing is conducted by multiple entities 
throughout the life cycle of a voting system. Voting system vendors 
conduct testing during system development. National testing of 
systems is conducted by accredited independent testing authorities. 
Some states conduct testing before acquiring a system to determine 
how well it meets the specified performance parameters, or states 
may conduct certification testing to ensure that a system performs 
as specified by applicable laws and requirements. Once a voting 
system is delivered by the vendor, states and local jurisdictions may 
conduct acceptance testing to ensure that the system satisfies 
requirements. Finally, local jurisdictions typically conduct logic and 
accuracy tests prior to each election and sometimes subject 
portions of the system to ptirallel testing during each election. 

Management. Management processes ensure that each life cycle 
phase produces desirable outcomes and is conducted by the 
organization responsible for each life cycle phase. Voting system 
vendors manage the development phase, while states and/or local 
jurisdictions manage the acquisition and operations phases. Typical 
management activities that span the system life cycle include 
planning, configuration management, system performance review 
and evaluation, problem tracking and correction, human capital 
management, and user training. Management responsibilities related 
to security and reliability include program planning, disaster 
recovery and contingency planning, definition of security roles and 


Page 19 


GAO-07-741T 




49 


closeness of the election. Both optical scan and DRE systems are 
claimed to be highly accurate. Although voting equipment may be 
designed and developed to count votes as recorded with 100 percent 
accuracy, how well the equipment counts votes as intended by 
voters is a function not only of equipment design, but also of how 
procedures are followed by election officials, technicians, and 
voters. It is also important to limit system down time so that polling 
places can handle the volume of voter traffic. 

Ease of Use. Ease of use (or user friendliness) depends largely on 
how voters interact physically and intellectually with the voting 
system. This interaction, commonly referred to as the 
human/machine interface, is a function of the system design and 
how it has been implemented. Ease of use depends on how well 
jurisdictioiB design ballots and educate voters on the use of the 
equipment A voting system’s ease of use affects accuracy (i.e., 
whether the voter’s intent is captured), and it can also affect the 
efficiency of the voting process (confused voters take longer to 
vote). Accessibility by diverse types of voters, including those with 
disabilities, is a further aspect of ease of use. 

Cost. For a given jurisdiction, the particular cost associated with an 
electronic voting system will depend on the requirements of the 
Jurisdiction as well as the particular equipment chosen. Voting 
equipment costs vary among types of voting equipment and among 
different manufacturers and models of the same type of equipment. 
Some of these differences can be attributed to differences in what is 
included in the unit cost. In addition to the equipment unit cost, an 
additional cost for Jurisdictions is the software that operates the 
equipment, prepares the ballots, and tallies the votes (and in some 
cases, prepares the election results reports). Other factors affecting 
the acquisition cost of voting equipment are the number and types of 
peripherals required. Once jurisdictions acquire the voting 
equipment, they also incur the cost to operate and maintain it, which 
can vary considerably. 


Page 21 


GAO-07-741T 




50 


reliability concerns merit the focused attention of federal, state, and 
local authorities responsible for election administration. 


Inadequate National Standards 

Appropriately defined and implemented standards for system 
functions and testing processes are essential to ensuring the 
security and reliability of voting systems across all phases of the 
elections process. States and local jurisdictions face the challenge of 
adapting to and consistently applying appropriate standards and 
guidance to address vulnerabilities and risks in their specific 
election environments. The national standards are voluntary- 
meaning that states are free to adopt them in whole or in part or 
reject them entirely. 

The Federal Election Commission (FEC) issued a set of volimtary 
voting system standards in 1990 and revised them in 2002. These 
standards identic reqrrirements for electronic voting systems. 
Computer security experts and others criticized the 2002 voting 
system standards for not containing requirements sufficient to 
ensure secure and reliable voting systems. Common concerns with 
the standards involved their vague and incomplete security 
provisions, inadequate provisions for some commercial products 
and networks, and inadequate documentation requirements. 

In December 2006, ElAC issued the Voluntary Voting System 
Guidelines, which includes additions and revisions for system 
ftmctional requirements, performance characteristics, 
documentation requirements, and test evaluation criteria for the 
national certification of voting systems. These guidelines promote 
security measures that address gaps in prior standards and are 
applicable to more modem technologies, such as controls for 
software distribution and wireless operations. 

As we previously reported, the 2005 Voluntary Voting System 
Guidelines do not take effect until December 2007. Moreover, this 
version of the standards does not comprehensively address voting 
technology issues. For instance, they do not address COTS devices 
(such as card readers, printers, or personal computers) or software 
products (such as operating systems or database management 
systems) that are used in voting systems without modification. This 
is significant because computer security experts have raised 


Pagers 


GAO-07.741T 




51 


design and development of secure and reliable electronic voting 

systems. Among other things, weak embedded security controls and 

audit trail design flaws were two mtyor areas of concern: 

• Weak system security controls. Some electronic voting 
systems reportedly have weak software and hardware security 
controls. Eegtuding software controls, many security 
examinations reported flaws in how controls were implemented 
in some DRE systems to prevent unauthorized access. For 
example, one model failed to password-protect the supervisor 
functions controlling key system capabilities; another relied on 
an easily guessed password to access these functions. If 
exploited, these weaknesses could damage the integrity of 
ballots, votes, and voting system software by allowing 
unauthorized modifications. Regarding physical hardware 
controls, several recent reports found that certain DRE models 
contained weaknesses in controls designed to protect the 
system. For instance, reviewers were concerned that a particular 
model of DRE was set up in such a way that if one machine was 
accidentally or intentionally unplugged from the others, voting 
functions on the other machines in the network would be 
disrupted. In addition, reviewers found that the switches used to 
turn a DRE system on or off, as well as those used to close the 
polls on a particular DRE terminal, were not protected. 

• Design flaws in developing voter-verified paper audit 
trails. Establishing a voter-verified paper audit trail involves 
adding a paper printout to a DRE system so that a voter can 
review and verify his or her ballot. Some citizen advocacy 
groups, security experts, and elections officials advocate these 
audit trails as a protection against potential DRE flaws. 

However, other election officials and researchers have raised 
concerns about potential reliability and security flaws in the 
design of systems using voter-verified paper audit trails. If voting 
system mechanisms for protecting the paper audit trml were 
inadequate, an insider could associate voters with their 
individual paper ballots and votes, particularly if the system 
stored voter-verified ballots sequentially on a continuous roll of 
paper. If not protected, such information could breach voter 
privacy and confidentiality. 




G.-tO-OT-itlT 




52 


regional vote tabulation computer was connected to the Internet 
emd that local ofliclals had not updated it with several security 
patches, thus needlessly exposing the system to security threats. 
In addition, several reports indicated that some state and local 
jurisdictions did not always have procedures in place to detect 
problems with their electronic voting systems such as ensuring 
the number of votes cast matched the number of signatures on 
precinct sign-in sheets. 


Inadequate Testing 

Security experts and some election officials have expressed 
concerns that the tests performed by independent testing authorities 
and state and local election officials do not adequately assess 
electronic voting systems’ security and reliability. These concerns 
are intensified by what some perceive as a lack of transparency in 
the testing process. 

• Inadequate security testiug. Many computer security experts 
expressed concerns with weak or insufficient system testing, 
source code reviews, and penetration testing. To illustrate their 
concerns, they pointed to the fact that most of the systems that 
exhibited the weak security controls previously cited had been 
nationally certified after testing by an independent testing 
authority. Security experts and others point to this as an 
indication that both the standards and the testing program are 
not rigorous enough with respect to security. 

• Lack of transparency in the testing process. Security 
experts and some elections officials have raised concerns about 
a lack of transparency in the testing process. They note that the 
test plmis used by the independent testing authorities, along with 
the test results, arc treated as protected trade secrets and thus 
cannot be released to the public. Critics say that this lack of 
transparency hinders oversight and auditing of the testing 
process. This in turn makes it harder to determine the actual 
capabilities, potential vulnerabilities, and performance problems 
of a given system. Despite assertions by election officials and 
vendors that disclosing too much information about an 
electronic voting system could pose a security risk, one security 


Page 27 


GAO-07-741T 




53 


election comply with the 2002 voting system standards. Nine of 
these 28 states would also require their jurisdictions to apply the 
1990 federal standards to new voting systems and 4 of the 28 would 
also require jurisdictions to use the 2006 voting system standards, 
which were in draft version at the time of our survey. (One other 
state also expected to apply the 2006 voting system standards.) Ten 
other of the 44 states reporting said that they expected to use hybrid 
standards that were based on one or more versions of the national 
standards, without specifying the composition of their hybrid, and 4 
states planned to use the national standards in 2006, but did not 
specify a version. (Five states responded that they did not require 
their voting systems to comply with any version of the national 
standards or had not yet made a decision on compliance with the 
standards for 2006. One state did not respond.) 


Jurisdictions Varied Widely in Applying Security Practices 

Local jurisdictions varied widely in the nature and extent of their 
voting system security efforts and activities during the 2004 election. 
Our research on recommended security practices shows that 
effective system security management involves having, among other 
things, (1) defined policies governing such system controls as 
authorized functions and access and documented procedures for 
secure normal operations and incident management; (2) 
documented pla^ for implementing policies and procedures; (3) 
clearly assigned roles and responsibilities for system security; and 
(4) verified use of technical and procedural controls designed to 
reduce the risk of disruption, destruction, or unauthorized 
modification of systems and their information. Jurisdictions’ efforts 
in each of these areas for the November 2004 general election are 
discussed here. 

Policies and procedures. Many jurisdictions reported having 
written policies and procedures for certain aspects of security 
related to their voting systems, but others did not Written security 
policies were more prevalent among large jurisdictions (an 
estimated 65 percent) than small jurisdictions (an estimated 41 
percent). An estimated one-fifth of jurisdictions reported that they 
did not have written policies and procedures in place for 
transporting ballots or electronic memory, storing ballots, or 
electronic transmission of voted ballots to ensure ballot security. In 


Page Z9 


GAO-07-741T 




54 


responsible for implementing security controls, while state officials 
were usually involved with developing security policy and guidance 
and monitoring local jurisdictions’ implementation of security. Some 
jurisdictions reported that other entities performed tasks such as 
securing voting equipment during transport or storage and training 
election personnel for security awareness. Similarly, 26 states 
reported that security monitoring and evaluation was performed by 
two or more entities. In 22 states and the District of Columbia, 
responsibility for security monitoring and evaluation was shared 
between the state and local election officials. States also reported 
cases where other entities (e.g., independent consultants or 
vendors) were involved in monitoring and evaluating controls. The 
entities that were assigned tasks and responsibilities at the local 
jurisdictions we visited are described in table 1. 


Table 1 : V ting System Security Tasks and Responsibilities for the 2004 General Election Reported by Election Officials in 

Local Jurisdictions Visited by GAO 

Examples of voting system security tasks identified by local 

Performing entity 



officials 

Local officials 

state 

other entities 

Secure ballot programming 

X 



Sealing of voted ballots 

X 



S^ure storage of voting equipment 

X 


X 




(e.g., schools) 

Video surveillance of stored equipment or ballots 

X 



Access control to stored election materials 

X 



Protection of voting equipment and materials during transport 

X 


X 




(e.g.. law enforcement officials) 

Inventory management of voting equipment and ballots 

X 



Monitoring vote tallying systems for unauthorized connections 

X 



Impoundment of election materials after elections 

X 



Monitoring and testing of equipment accuracy before, during, and after 
elections 

X 

X 

X 

Security awareness training for election personnel 

X 

X 

X 

Certification of voting equipment 

X 

X 


Development of security policies and guidance for jurisdictions 

X 

X 


Monitoring implementation of security policies by jurisdictions 

X 

X 



Source: GAO analysis of documents provided by local jurisdictions we visited. 


Page 31 


GAO-07-741T 













55 


Figure 8: Estimated Use of Security Controls by Local Jurisdictions in the 2004 
General Election, by Jurisdiction Size 


(>erceRb»g« {uri«^aw 



Pouwor Access control Kantwars Eiecimnic 

battery backup* toeks an£i se^s backup storsge'’ 

tteting system security contrtris 


f "'1 

□ Medium (10.000- tOO.OOO) 

Urge (>t00, 000) ..... 

Source; QAO 3005 survey of local sleesion jonsdiaion^ 

Note: More than one group may have been identified with security 
responsibilities. 

‘The di^'erence between small jiuisdictions and medium jurisdictions is 
statistically signlScant. The 95 percent confidence interval for small jurisdictions 
is plus or minus 8 percentage points. 

iTte 95 percent confidence interval for small jurisdictions is plus or minus 8 
percentage points. 

The differences between small Jurisdictions and both medium and large 
jurisdictions are statistically significant. The 95 percent confidence interval for 
small jurisdictions is plus or minus 8 percentage points. 

Among the jurisdictions that we visited, election officials reported 
that various security measures were in use during the 2004 general 
election to safeguard voting equipment, ballots, and votes before, 
during, and after the election. However, the measures were not 
uniformly reported by officials in these Jurisdictions, and officials in 


Page 33 


GAO-07-741T 




56 


unauthorized remote access, including locally controlled passwords, 
passwords that change for each access, and local control of 
conununications connections. However, the percentage of 
jurisdictions with remote access may actually be higher because 7 to 
8 percent of jurisdictions did not know if remote access was 
available for their systems. 


Some Types of Testing Were Not Commonly Performed 

To ensure that voting systems perform as intended, the systems 
must be effectively tested. Voting system test and evaluation can be 
grouped into various types, or stages: certification testing (national 
level), certification testing (state level), acceptance testing, 
readiness testing, parallel testing, and postelection voting system 
audits. Each of these tests has a specific purpose and is conducted 
at the national, state, or local level at a particular time in the 
election cycle. Table 3 summarizes these types of tests. 


Page 35 


GAO-07-741T 




57 


states and jurisdictions conducted parallel testing diuing elections 
or audits of voting systems following elections. State and local 
responses to our surveys are summarized here relative to each type 
of testing. 

National certification. Most states continued to require that 
voting systems be nationally tested and certified. For voting systems 
being used for the first time in the 2004 general election, national 
certification testing was almost always uniformly required. In 
particular, 26 of 27 states using DRE for the first time in this 
election, as well as the District of Columbia, required their systems 
to be nationally certified, while 9 of the 10 states using punch card 
equipment for the first time and 30 of 35 states and the District of 
Columbia using optical scan equipment for the first time, reported 
such requirements. However, for the 2004 general election, we 
estimated that 68 percent of jurisdictions did not know whether 
their respective systems were nationally certified. This uncertainty 
surrounding the certification status of a specific version of voting 
system at the local level underscores our concern that even though 
voting system software may have been qualified and certified at the 
national or state levels, software changes and upgrades performed 
at the local level may not be. 

State certification. For the November 2004 general election, 42 
states and the District of Columbia reported that they required state 
certification of voting systems. Seven of these states purchased 
voting systems at the state level for local jurisdictions. Officials for 
the remaining states and the District of Columbia reported that 
responsibility for purchasing a state-certified voting system rested 
with the local jurisdiction. While state certification requirements 
often included national testing as well as confirmation of 
functionality for particular ballot conditions, some states also 
required additional features such as construction quality, 
transportation safety, and documentation. Among the remaining 8 
states that did not require state certification, officials described 
other mechanisms to address the compliance of voting equipment 
with state-specific requirements, such as a state approval process or 
acceptance of voting equipment based on federal certification. 

For the 2006 general election, 44 states reported that they would 
have requirements for certification of voting systems, 2 more states 


Pages? 


G.-tO-OT-TtlT 



58 


systems at the state level, the local level, or both (one state did not 
require readiness testing). Most states (37) required local 
jurisdictions to perform readiness testing. However, 7 states 
reported that they performed their own readiness testing for the 
2004 general election in addition to local testing. Five states and the 
District of Columbia reported that they had no requirements for 
local jurisdictions to perform readiness testing but conducted this 
testing themselves. 

State laws or regulations in effect for the 2004 election typically had 
specific requirements for when readiness testing should be 
conducted and who was responsible for testing, sometimes 
including public demonstrations of voting system operations. We 
found that most jurisdictions conducted readiness testing, also 
known as logic and accuracy testing, for both the 2000 and 2004 
general elections. Election officials in all of the local jurisdictions 
we visited following the 2004 election reported that they conducted 
readiness testing on their voting equipment using one or more 
approaches, such as diagnostic tests, integration tests, mock 
elections, and sets of test votes, or a combination of approaches. 

Security testing. Security testing was reportedly performed by 17 
states and the District of Columbia for the voting systems used in 
the 2004 general election, and 7 other states reported that they 
required local jurisdictions to conduct such testing. The remaining 
22 states said that they did not conduct or require system security 
testing. (Three states reported that security testing was not 
applicable for their voting systems.) Moreover, we estimated that at 
least 19 percent of local jurisdictions nationwide (excluding 
jurisdictions that reported that they used paper ballots) did not 
conduct security testing for the systems they used in the November 
2004 election. Although jurisdiction size was not a factor in whether 
security testing was performed, the percentage of jurisdictions 
performing security testing was notably higher when the 
predominant voting method was DRE (63 percent**) and lower for 


^The 96 percent confidence interval for DRE is plusl4 or minuslS percentage 
points. 


Page 39 


GAO-07-741T 




59 


for the 2004 general election varied in when and how these audits 
were to be conducted. 

We estimated that 43 percent of jurisdictions that used voting 
systems for at least some of their voting conducted postelection 
voting system audits. This practice was much more prevalent at 
large and medium jurisdictions (62 percent and 56 percent, 
respectively) than small jurisdictions (34 percent).” We further 
estimated that these voting system audits were conducted more 
frequently in jurisdictions with central count optical scan voting 
methods (64 percent) than they were in jurisdictions with precinct 
count optical scan voting methods (35 percent). 


Jurisdictions Did Not Consistently Monitor Voting System Performance 

It is important that performance be measured during system 
operation. As we reported in 2001 and 2006, measuring how well 
voting systems perform during a given election allows local officials 
to better position themselves for ensuring that elections are 
conducted properly. Such measurement also provides the basis for 
knowing where performance needs, requirements, and expectations 
are not being met so that timely corrective action can be taken to 
ensure the security and reliability of the voting system. Jurisdictions 
without supporting measures for security and reliability may lack 
sufficient insight into their system operations. 

Overall, responses to our local jurisdiction survey show that large 
jurisdictions were most likely to record voting system performance 
and small jurisdictions were least likely. We estimated that 42 
percent of jurisdictions overall monitored the accuracy of voting 
equipment in the 2004 general election. Other measures recorded 
were spoiled ballots (estimated at 50 percent of jurisdictioia), 
undervotes (50 percent of jurisdictions),” and overvotes (49 percent 
of jurisdictions). During our visits to local jurisdictions, election 
officials in several jurisdictions told us that measuring overvotes 
was not a relevant performance indicator for jurisdictions using 


^'The 95 percent confidence interval for large jurisdictions is plus or minus 8 
percentage points, and for small jurisdictions it is plus or minus 7 percentage 
points. 

“An estimated 25 percent of respondents selected “not applicable" to the question 
on spoiied/ruined ballots in their survey response. 


Page 41 


GAO-07.741T 





60 


We estimated that 15 percent of jurisdictions measured voting 
system failure rates and 1 1 percent measured system downtime.” A 
higher percentage of large and medium jurisdictions collected these 
performance data than small jurisdictions. Collection of these data 
was also related to the predominant voting method used by a 
jurisdiction, with jurisdictions that predominantly used DREs more 
likely to collect system data than those that used precinct count or 
central count optical scan voting methods (an estimated 45 percent 
of jurisdictions versus 23 percent or 10 percent, respectively). 

Figure 8 shows the percentages of small, medium, and large 
jurisdictions that collected information on voting equipment failures 
and downtime. Figure 9 shows the percentages by predominant 
voting method of all jurisdictions that collected data on equipment 
failures. 


”An estimated 66 percent of respondents selected the response “not applicable" 
for the survey questions on measurement of pieces of equipment that failed and 
equipment downtime. 


Page 43 


GAO-07-741T 




61 


Figure 9: Estimated Percentages of Jurisdictions that Collected information n 
Voting Equipment Failures for the 2004 General Election, by Predominant V ting 
Method 


Percentage of jurisdictions 
50 



Predominant voting methods 
Souree: QAO 2005 survey of tocai sleclion jurlsdictior^s. 

Note: The differences between DRE and both central count and precinct count 
optical scan voting methods are statistically significant. 

*The 96 percent confidence interval for DRE is plus or minus 13 percentage points. 
'TTie 95 percent confidence interval for central count optical scan percentages is 
plus 7 or minus 5 percentage points. 

The 96 percent confidence interval for precinct count optical scan percentages is 
plus 8 or minus 7 percentage points. 

Further, an estimated 55 percent of all jurisdictions kept a written 
record of issues and problems that occurred on Election Day, which 
could be a potential source of performance data. Large jurisdictions 
were more likely to keep a written record of issues or problems that 
occurred on Election Day. Specifically, we estimated that 79 percent 
of large jurisdictions kept such records, compared with 59 percent 


PMe 4S 


GAO-07-74iT 





62 


recommendations, it told us that its ability to effectively execute its 
role is resource constrained. 


Establishing and Applying Current and Comprehensive Standards 

The extent to which states and local jurisdictions adopt and 
consistently apply up-toHlate voting system standards directly 
affects the security and reliability of voting systems during 
elections. For the 2006 general election, a substantial proportion of 
states and jurisdictions had yet to adopt the most ciurent federal 
voting system standards or related performance measures, meaning 
that the systems they employ may not perform as securely and 
reliably as desired. Beyond this, decisions by states and local 
jurisdictions to apply these latest standards for the 2008 election 
present additional challenges such as (1) whether the systems can 
be tested and certified in time for the election and (2) adopting 
standards that are now undergoing revision rather than continued 
use of earlier standards or later adoption of even newer standards. 

EIAC plays an important role in ensuring the timely testing and 
certification of voting systems against the latest standards and in 
informing state and local decisions on whether to adopt these 
standards for the 2008 election. Accordingly, we have recommended 
that EAC define tasks and time frames for achieving the full 
operational capability of the national voting system certification 
program. These management elements would need to take into 
account estimating testing capacity and expected volume for the 
testing laboratory accreditation program, establishing protocols and 
time frames for reviewing certification packages, and setting norms 
for timely consideration and decision making regarding system 
certifications. Sharing this information with state and local election 
officials would help them to plan for system upgrades, testing, and 
state certification to meet their upcoming election cycles. 

States and local jurisdictions must also consider the timely adoption 
of standards in light of the additional work that is currently under 
way and planned to address known weaknesses in the national 
standards. For example, in addition to establishing minimum 
functional and performance requirements for voting systems, 
standards can also be used to govern integration of election 
systems, such as the accuracy, reliability, privacy, and security of 


Page 47 


GAO-07-741T 




63 


of adapting and implementing the directives to meet the needs of 
their specific election environments. 


Managing the People, Processes, and Technology as Components of the Overall Process 

As previously stated, jurisdictions need to manage the triad of 
people, processes, and technology as interrelated and 
interdependent parts of the total voting process. Given the amount 
of time that remains between now and the November 2008 elections. 
Jurisdictions’ voting system performance is more likely to be 
influenced by improvements in poll worker system operation 
training, voter education about system use, and vote casting and 
counting procedures than by changes to the physical systems. The 
challenge for voting jurisdictions is thus to ensure that these people 
and process issues are dealt with effectively. 

In this regard, the election management decisions and practices of 
states and local jurisdictions can benefit from the experiences and 
results of those with comparable election environments. In 2004 and 
again in 2006, EAC compiled such information into guidance 
documents for widespread use by election officials. However, as the 
election environment and voting systems continue to evolve, 
additional lessons and topics vrill undoubtedly surface. Accordingly, 
we have recommended that the EAC establish a process and 
schedule for periodically compiling and disseminating 
recommended practices for security and reliability across the 
system life cycle and that the practices be informed by information 
it collects on the problems and vulnerabilities of these systems. 
Incorporating the feedback obtained through actual voting system 
development, acquisition, preparation, and operations into practical 
guidance will allow the election community to be more robust and 
efficient. 


Gathering and Using Reliable System Performance Measures and Data and Making 
Informed Investment Decisions 

Reliable measures and objective data are needed tor jurisdictions to 
know whether the technology they use is meeting the needs of the 
user communities (both the voters and the officials who administer 
the elections). While the vast majority of jurisdictions reported that 
they were satisfied with the performance of their respective 

Pi4(e 49 


GAO-07-74.it 



64 


this link alone cannot make an election, it can break one. The 
problems that some jurisdictions have experienced and the serious 
concerns that have surfaced highlight the potential for continuing 
difficulties in upcoming national elections if these challenges are not 
effectively addressed. The EAC plays a vital role related to ensuring 
that election officials and voters are educated and well informed 
about the proper implementation and use of electronic voting 
systems and ensuring that jurisdictions take the appropriate steps — 
related to people, process, and technology — that are needed 
regarding security, testing, and operations. More strategically, the 
EAC needs to move swiftly to strengthen the voting system 
standards and the testing associated with enforcing them. However, 
the EAC alone cannot ensure that electronic voting system 
challenges are effectively addressed. State and local governments 
must also do their parts. Moreover, critical to the commission’s 
ability to do its part will be the adequacy of resources at its disposal 
and the degree of cooperation it receives from entities at all levels of 
government 

Mr. Chairman, this concludes my statement I would be pleased to 
answer any questions that you or other Members of the 
Subcommittee may have at this time. 


Contact and Acknowledgments 

For further information, please contact Randolph C. Hite at (202) 

5 12-3439 or by e-mail at hiter@gao.gov . Other key contributors to 
this testimony were Nancy Giover, Paula Moore, Sushmita Srikanth 
and Kim Zelonis. 


( 310645 ) 


Page SI 


GAO-07-741T 





65 


Mr. Clay. Thank you very much. Thank you both for your testi- 
mony. 

Let me start with Mr. Hite. Mr. Hite, GAO’s past work on elec- 
tronic voting systems highlights the need for vendors and election 
officials to better manage this equipment throughout the product 
life cycle. Have there been adequate best practices or requirements 
promulgated under the WSG guidelines or under HAVA for stake- 
holders to follow? 

Mr. Hite. The voluntary voting system guidelines that you refer 
to in 2005, that take effect at the end of this year, is a vast im- 
provement over the standards that were in place prior to this. Is 
it complete and comprehensive relative to the range of security pro- 
visions that need to be in the standards? No. It is a work in process 
in that regard, and it will need to evolve over time. 

Mr. Clay. Doesn’t the lack of effective system standards hinder 
the implementation of stronger stewardship best practices? 

Mr. Hite. Yes, sir. It is a key variable in that equation. It is ac- 
tually a double-edged sword. On the one hand, you want to have 
the most up to date, robust, comprehensive standards that you can 
have. At the same time, you have to consider the capacity to imple- 
ment those standards, and the impact it is going to have on the 
States and the jurisdictions out there to adjust their systems envi- 
ronment to comply with those standards. It is not something that 
can be done overnight. 

So you are trying to balance the two from a practical standpoint 
in terms of the pace at which you are asking jurisdictions to im- 
prove, and their capacity to improve. 

Mr. Clay. Well, there is a problem that the standards were not 
put in place initially, and that people didn’t have many guidelines 
to follow? 

Mr. Hite. Absolutely. The root cause of this is that the standards 
were pretty much stagnant for virtually a decade. So we are trying 
to play catch-up relative to putting in place the kind of quality 
standards that are needed. 

Mr. Clay. Has NIST begun to research the larger issues of elec- 
tronic voting system architecture, as opposed to testing and evalua- 
tion of current products on the market, in order to address the in- 
herent vulnerabilities in the systems currently in use? Has that 
started to occur? 

Mr. Hite. Sir, I don’t have the answer to that because I don’t 
know. It kind of relates to the point that we were making relative 
to creating more transparency around what is going to be done, 
when, relative to getting to the desired end with regard to stand- 
ards in other areas. 

Mr. Clay. Thank you for that response. 

Ms. Hillman, it has been stated that individuals with expertise 
and experience in assistive technology have not been involved in 
discussions regarding voting security and in judging conformance 
to accessibility standards. I know that Dr. Diane Golden, who will 
testify on the following panel, has provided testimony to the EAC 
and the TGDC. 

Can you tell me, beyond this, to what extent has the EAC tried 
to involve experts from the assistive technology community in de- 
velopment of standards? 



66 


Ms. Hillman. Yes. On the Technical Guidelines Development 
Committee, there are two members representing the Access Board, 
and certainly concerns from the disability community are brought 
to discussions of the voluntary guidelines through their participa- 
tion. 

In addition, the EAC has met with members of the disability 
community. One of the members of our Board of Advisors rep- 
resents the American Association of Persons with Disabilities. And 
we post all of our draft guidelines out for public comment. Of 6,000 
comments we received, I know that several hundred came from 
members of the disability community. 

Mr. Clay. Thank you for that. 

GAO has offered the EAC a list of open recommendations from 
its 2005 report on the reliability of e-voting systems. Some of these 
recommendations address critical topics such as the NIST’s work 
on software assurance and interim standards for the certification 
of e-voting products. Does the EAC intend to implement all of the 
GAO’s recommendations? What is the status of the commission’s 
implementation efforts? 

Ms. Hillman. As Mr. Hite indicated, we did agree with their rec- 
ommendations and we are certainly working to make certain that 
our program to test and certify voting systems is done in a way 
that does two things. It provides the rigorous testing to assure elec- 
tion officials that the machines are compliant, and that the process 
is as open and understanding to the public so that we can get past 
some of the technicalities and the public can appreciate the bene- 
fits of the Federal Government testing and certifying machines. 

The process is new. I think, as you know, the Election Assistance 
Commission was set up in a way that we lost a good year of oper- 
ation before we could really begin our work, due to lack of funding. 
But once that began, we have caught up. Our certification program 
is in place. We have accredited laboratories that are poised and 
ready to begin that testing. 

Mr. Clay. Thank you for that response. 

We have some additional Members that joined us. I will go to the 
gentleman from Kentucky, Mr. Yarmuth. I understand you have an 
opening statement. 

Mr. Yarmuth. Thank you, Mr. Chairman. I will just submit it for 
the record. That will be fine. I appreciate it. 

[The prepared statement of Hon. John A. Yarmuth follows:] 



67 


Congressman John Yarmuth (KY-3) 

Information Policy, Census, and National Archives 
Subcommittee 

“Ensuring Fairness and Accuracy in Elections 

Involving Electronic 
Voting Systems” 

Wednesday, April 18, 2007 - 2:00 P. M. 

2154 Rayburn HOB 

"Mr. Chairman Clay and Ranking Member 
Turner, I want to thank you for conducting 
this hearing, which I consider to be of the 
highest importance to our democracy. 

For more than two hundred years, America 
helped democracy spread, simply by leading 
by example, by shining a light on the vast 
potential of freedom. Now, as the current 
Administration pursues a more aggressive 
implementation of democratic elections 
throughout the world, we find ourselves in 
the precarious position of doubting our own 
system. With so many of our own citizens 
questioning whether or not their vote is 
counted, we are rapidly losing the 
capability to lead by example. 

The problems are apparent - easily 
manipulated and faulty voting machines, 
inaccessibility, and even the expressed 
intent by the CEO of Diebold, which 



68 


manufactures voting machines, to "deliver" 
electoral votes for the President. And 
after numerous studies, the solutions are 
also apparent. What has not been apparent 
is the political will to act. While voter 
confidence waned, so too did the sacredness 
with which we hold American democracy. 

I am hopeful that this hearing signals an 
end to that complacency and insecurity. I 
am joined by a growing number of my 
colleagues who recognize that the 
reliability and transparency of our election 
process is the cornerstone of the freedom 
upon which America was founded, and not 
until we can ensure the legitimacy of our 
democratic process will we again begin to 
live up to the standards and fulfill the 
dreams laid out by our founding fathers. 

I look forward to hearing from our witnesses 
today to better understand the failures in 
our past, and to discover what else we can 
do to ensure success in the future. 


Thanks, y'all." 



69 


Mr. Clay. Would the gentleman care to ask questions? 

Mr. Yarmuth. I think I will pass at this time. Thank you. 

Mr. Clay. OK. 

The gentleman from New Hampshire, do you have an opening 
statement? 

Mr. Hodes. Thank you, Mr. Chairman. I do have a brief state- 
ment. 

Mr. Clay. You may proceed. 

Mr. Hodes. Thank you, Mr. Chairman. 

I want to thank you for holding this important hearing on fair- 
ness and accuracy in elections, with a focus on electronic voting 
systems. 

I also want to thank the panel for being here today. I look for- 
ward to hearing the rest of your testimony, and your testimony, sir. 

Nothing is more critical to our democracy than the integrity of 
our elections. After punch card ballots proved to be ineffective for 
recounting votes in the 2000 Presidential election. Congress took 
an important step toward ensuring the accuracy of election results 
with the Help America Vote Act of 2002. In 2004, more voters than 
ever before used the optical scan voting system that produces indi- 
vidual paper ballots, but other electronic systems were shown to be 
flawed. 

Today, the goal of effective standards for voting systems still 
faces serious obstacles. As we work to ensure the accuracy and se- 
curity of Federal elections, we must be careful not to preempt State 
and local election systems. In my home State of New Hampshire, 
the optical scan systems, combined with hand counting procedures, 
have produced accurate election results. The Election Assistance 
Commission must ensure that new standards do not threaten exist- 
ing voting systems that work. 

Congress must remain committed to its role of oversight over vot- 
ing system standards and ensure that critical decisions are made 
after careful consideration of possible consequences. 

Finally, we must ensure that voting systems generate paper vot- 
ing records that are not susceptible to hackers and electronic 
glitches. 

Again, thank you for being here today. I look forward to hearing 
your thoughts as we consider these important issues. 

Thank you, Mr. Chairman. 

Mr. Clay. Thank you very much. 

The gentleman from Kentucky, would you care to ask questions? 

The gentleman from New Hampshire, do you have questions for 
the witnesses? Mr. Hodes. You may proceed. 

Mr. Hodes. Thank you, Mr. Chairman. 

Commissioner Hillman, I serve on the House Financial Services 
Committee. When one of my constituents goes to a bank and makes 
a transaction, they get a paper receipt, in addition to the electronic 
records the bank keeps. However, when a voter casts a ballot in 
some States with a direct record electronic voting system, there is 
no individual paper ballots that can be used if a recount is needed. 

Isn’t it true that some DRE systems only require one printout of 
all ballots cast, and not individual ballots that can be recounted? 

Ms. Hillman. Sir, it is true that all DREs require the system to 
be able to print out a paper record of all transactions that hap- 



70 


pened on that machine. That information is contained within the 
system. Some of those systems have a printer to produce a paper 
trail and many do not. 

Mr. Hodes. Don’t you think there should be a similar individual 
paper record system for all individual ballots in the transaction, es- 
pecially since this isn’t just a financial transaction, but voting is 
the basis for our system of democracy? 

Ms. Hillman. EAC has made certain that our voting system 
standards include guidelines for the use of a printer to produce a 
paper trail. Many States through their legislative actions already 
require such a paper trail. HAVA allows the States to choose their 
own voting systems and to determine what type of machine they 
will use. So EAC accepts the responsibility to produce standards for 
all types of voting systems. 

Mr. Hodes. Has the EAC required individual paper records of 
each ballot cast? 

Ms. Hillman. No, we have not required that. 

Mr. Hodes. Do you think that ought to happen? 

Ms. Hillman. Congressman, I appreciate your question, but I am 
also respecting the role that HAVA prescribes to the EAC and to 
the States. It has left the decisionmaking of the manner in which 
voting systems will be used up to the States. So at this point, EAC 
has not seen it as its authority to tell States that it must use a 
paper trail. 

Mr. Hodes. So if the EAC doesn’t have the authority and you 
have left it to the individual States, it is essentially up to Congress 
to legislate whether or not an individual paper record for each bal- 
lot cast needs to be produced for every voter. 

Ms. Hillman. With due respect, it was Congress who left it up 
to the States to make the decision in the first place. EAC doesn’t 
have that authority, so we are not telling the States that it is their 
responsibility. We are simply following what the Help America 
Vote Act provides for. 

Mr. Hodes. So my question was, therefore if Congress wanted to 
change it and require an individual paper record for each vote cast, 
it would be up to Congress to legislative that. 

Ms. Hillman. It would, sir. 

Mr. Hodes. For Mr. Hite, a question for you, sir. It is my under- 
standing that no one from the EAC has been asked to testify before 
Congress since 2004. In your opinion, has Congress done an effec- 
tive job of providing oversight over the EAC and its critical work 
to improve Federal election accuracy in the last 5 years? 

Mr. Hite. For an organization that works for the Congress, that 
is really a loaded question for me to have to respond to. 

One point of clarification, the EAC has testified since 2004 before 
committees of Congress. I have sat beside the chairwoman here in 
doing that. 

I would say that there has been extensive oversight with respect 
to elections since 2004. There is a proliferation of legislation associ- 
ated with making changes to HAVA and other aspects of the elec- 
tion process. So I would compliment the Congress for the extent of 
the oversight that it has provided to this area. 

Mr. Hodes. I have one further question. Currently, it is my un- 
derstanding that the GAO recently reported that 44 States have 



71 


laws requiring some form of compliance with Federal EAC WSG 
guidelines or FEC voting system standards. What happens to 
States such as New York when voluntary guidelines become man- 
datory? 

Mr. Hite. Are you asking if they are made mandatory by the 
State? 

Mr. Modes. Yes. 

Mr. Hite. Well, then the States have that prerogative to adopt 
the guidelines and to treat them by reference as mandatory re- 
quirements for their jurisdictions. 

Mr. Modes. What are the consequences from a management per- 
spective? It is my understanding that New York has not fully com- 
plied with HAVA with regard to accessible voting machines, but it 
doesn’t have clear signals from the EAC as yet regarding what vot- 
ing system would be appropriate. It is caught, at least as far as I 
understand it, between competing versions of the 2002 voting sys- 
tem standards, 2005 WSG-1 and WSG-2 in draft forms. 

Mr. Hite. I don’t believe New York is in any different position 
than other States. States have adopted different versions of the 
standards. Not all States have adopted the 2005 standards. Some 
are using a combination. Some are using the 2002 standards. 

So they are all faced with this dilemma of which standards do 
we adopt, in light of the fact that standards are going to evolve. 
There is going to be a next version of the standards. So at what 
point do we adopt which version of the standard from a practical 
standpoint to implement the systems in that particular State or 
that particular jurisdiction? 

Ms. Hillman. Sir, might I clarify about the standards? 

Mr. Modes. Please. Thank you. 

Ms. Hillman. Before the establishment of the Election Assist- 
ance Commission, the FEC had responsibility for adopting stand- 
ards. The last set of standards adopted by FEC was in 2002, at the 
same time the Help America Vote Act was being debated by Con- 
gress. Those two things happened to come together at the same 
time, but they were complementary. 

What EAC has done since then, as required by HAVA, is to de- 
velop what are now called the voluntary guidelines. Because we 
had very limited resources and time, working with NIST, we up- 
dated the 2002 guidelines on certain critical sections such as secu- 
rity and accessibility for persons with disabilities. We also did 
make sure that the 2005 guidelines included all the HAVA require- 
ments. 

Working with the States, it became important that the effective 
date of our 2005 standards be such that the States would have 
time to work with their suppliers to have systems that met the 
standards. So we made the standards fully effective December of 
this year. 

In the meantime. States could still have their systems certified 
to the 2002 standards, but that was not an EAC responsibility. 
That was being done by an outside organization. Beginning Janu- 
ary of this year, EAC has fully implemented its testing and certifi- 
cation program. We are now accrediting laboratories to test against 
both the 2002 standards, as well as our newer 2005 standards. 



72 


So it is true that for some States with laws that require the Fed- 
eral standards, they are having to change their State law to accom- 
modate that, but States have had 2 years to know what the re- 
quirements of our 2005 standards are before they become fully ef- 
fective. 

Mr. Clay. Thank you, Mr. Hodes. I appreciate that. 

Mr. Hodes. Thank you, Mr. Chairman. 

Mr. Clay. Let me preface my next question, Ms. Hillman, by say- 
ing that I have the utmost regard for your lifetime history in pro- 
tecting people’s voting rights throughout this country. That is why 
the next question is rather troubling for me. 

As you know, the New York Times and other newspapers have 
reported on EAC efforts to alter the findings of a report solicited 
by the Commission concerning the incidence of voter fraud. In fact, 
a New York Times editorial on Sunday, April 15th, points out that 
only 86 people were convicted of voter fraud since the Department 
of Justice began placing significant resources into investigating 
voter fraud more than 5 years ago. 

While I recognize that you are only one member of the board, I 
think hearing your perspective on insight on how the EAC made 
these decisions would be helpful to us as an oversight body. The 
original draft report findings said that among experts, “There is 
widespread, but not unanimous agreement that there is little poll- 
ing place fraud.” While the final version stated that there is a great 
deal of debate on the pervasiveness of fraud. 

Why were the original findings altered? 

Ms. Hillman. Thank you for the question. Before I answer, let 
me just say that I have provided each member of the committee 
with a copy of a statement that I issued yesterday on this issue. 

To put it in context, Mr. Chairman, the EAC commissioned two 
individuals to work as special government employees, to conduct 
research for us. We asked them to help define voter fraud and 
voter intimidation, so that in a future study everybody would know 
what we were studying; and second, to compile research that would 
inform EAC on a future study and to make recommendations from 
that research. 

We did not have the time or the money to commission the kind 
of study that would have allowed conclusions to be presented. The 
consultants did provide a summary of conclusions. Quite frankly, 
what would have been helpful if that summary had said based on 
an interview with this person, it is documented that there are con- 
cerns about intimidation of minority voters in a particular State, 
and we think that is an issue the EAC should look into; or several 
of the people interviewed believe the following to be true and we 
think the EAC should study that. 

And so some of the conclusions they presented, which were based 
on interviews with people, did not have data to support the conclu- 
sion. As much as I would like to sit here and say today that there 
is conclusionary evidence with respect to fraud and voter intimida- 
tion, that particular report does not provide us with that data. 

Mr. Clay. Were there anomalies or flawed research identified? 

Ms. Hillman. The conclusions that you are referring to were 
based on interviews with people. In addition to those interviews, 
the researchers compiled several hundred court cases. They did ex- 



73 


tensive review of news clips and other articles. The conclusions 
were not tied to those clips and articles. And so at the time that 
EAC adopted its report in December, what I believe we were saying 
was, this is information that helps us define what we will study 
and flags for us the issues we need to look into. 

I do not believe that the EAC could have reached agreement on 
the conclusions that were offered by the researchers without being 
able to validate those conclusions. And so as a result of the very 
serious allegations that have been made, EAC has asked its Inspec- 
tor General to look into this matter on both the voter fraud and 
intimidation study, as well as the voter ID study so that Congress 
and the public and the commissioners can know what the cir- 
cumstances were. 

Mr. Clay. I really find all of that peculiar that you all are going 
to an internal investigation about the actions that the Commission 
voted on. The Commission authorized the study by Rutgers Univer- 
sity, and then rejected its findings on voter ID laws, citing flawed 
methodology. Perhaps there is something wrong in the process 
there as far as how you go out and get these studies? 

Ms. Hillman. That would be a fair observation. With respect to 
the Rutgers study, I know that some of my colleagues believe that 
the methodology was flawed. I personally do not believe I could 
pass judgment on the methodology used by Rutgers. What I know 
is Rutgers didn’t give me comparative data. For example, I will just 
use your State, and I am making this up. If Missouri had imple- 
mented new voter identification requirements in 2002 and there 
was an analysis of what those requirements were and turnout in 
2004, it doesn’t tell me if those requirements alone contributed to 
a rise or fall in voter participation unless I can look at it, compared 
to 2000. 

Mr. Clay. OK. I am not going to prolong this much further, but 
you know what the effects are. 

Ms. Hillman. I absolutely do, sir. 

Mr. Clay. Are there intimidating effects of voter ID laws. I 
mean, it takes us back to reconstruction. It takes us back to figur- 
ing out how many jelly beans are in the jar, a literacy test. And 
that is the impact of voter ID laws. I am just surprised at the ac- 
tions of the EAC when they are here to protect America’s voter. 

I will recognize Mr. Sali for 5 minutes, sir. 

Mr. Sali. Thank you, Mr. Chairman. 

Ms. Hillman, are the States going to be able to meet the require- 
ments of the bill that is proposed by Mr. Holt before the 2008 elec- 
tions? 

Ms. Hillman. In my testimony, I did indicate that there will be 
at least 180,000 DRE voting systems in the country that would 
have to be upgraded or replaced, depending on the requirements of 
any legislation requiring WPAT. And many States have expressed 
to us concern that they would be able to meet that requirement by 
the 2008 deadline. 

Mr. Sali. Can you tell me what the major problems were that 
the election officials and poll workers had in the 2000 elections in 
transitioning to the new electronic voting devices and the require- 
ments of the Help America Vote Act? 



74 


Ms. Hillman. Well, I think the overriding problem was one of 
time, and that is when the systems were received by the election 
officials using a brand new systems for the first time in an election, 
the training of the people who would use the system, the knowl- 
edge and experience to conduct the required independent logic and 
accuracy testing, the capacity to be able to test every machine. So 
a lot of what was experienced were human resource and financial 
resource limitations. 

Mr. Sali. And we will be repeating those again for 2008 if we 
pass this bill. Is that correct? 

Ms. Hillman. I certainly can’t speak on behalf of the States, but 
I can say I have heard loudly and clearly from States a concern 
that unless such a requirement is phased in. States would have a 
major resource challenge to be able to meet any mandate. 

Mr. Sali. Is it more expensive to meet language requirements for 
ballots on an optical scanner or on a DRE? 

Ms. Hillman. It would be more expensive to do it on an optical 
scan because of the design and printing of the ballots. Whereas on 
the DRE, it is programming. 

Mr. Sali. Mr. Hite, has the GAO looked at the fiscal impact on 
State and local governments if Congress passes this bill? 

Mr. Hite. No, sir, we have not. 

Mr. Sali. Eor either of you, are either of you aware of an in- 
stance where a case has been found and confirmed of an electronic 
voting machine that has been hacked into, if you will, during an 
election? 

Ms. Hillman. I have not any information that would suggest 
that a DRE has been hacked into during an election while it was 
in the custody of an election official. There have been such experi- 
ments in controlled environments, which informs that the key to 
that would be knowledge of the system and access to the system. 

Mr. Sali. Let me ask the question a little different way. Are ei- 
ther of you aware of a situation where an electronic voting machine 
was hacked and it changed the outcome of an election or was 
raised as an issue in an election? 

Mr. Hite. No, sir. 

Ms. Hillman. No. 

Mr. Sali. That is all I have, Mr. Chairman. 

[The prepared statement of Hon. Bill Sali follows:] 



75 


Opening Statement of Representative Bill Sali (ID) 

Mr. Chairman, 

My comments today are not directed at the witnesses or their testimonies. 
The proper working of voting machines is important, even essential, to 
representative self-government. Yet today’s hearing is based on an 
assumption I cannot accept. 

That assumption is this: It is the federal government’s role to enact and 
enforce laws respecting state voting processes for elections to prevent 
presidential election controversies like that surrounding the election of 2000. 

Mr. Chairman, I am troubled by that assumption. Our Constitution lays out 
the pattern for voting in executive office elections. At the same time, 
however, it provides Congress no authority to determine how states 
implement the Constitution’s demands. 

States are not merely administrative arms of the federal government. They 
do not exist simply to implement whatever ideas emanate from Capitol Hill 
or the White House. 

State governments are far closer to those they represent and serve than are 
we. States are different. Geography, tradition and population size all 
animate differing approaches to how and where and by what means people 
vote. My home state of Idaho is mountainous and, in the winter, very cold. 


1 



76 


Travel to Coeur d’Alene in January and I assure you that you won’t be 
jogging in your gym shorts as you might in Yuma, Arizona. 

All of our states have unique qualities that make them better suited than the 
“Washington Knows Best” crowd here in the heart of D.C. to determine how 
to provide their voters with accessible and reliable ways to vote, and to do so 
with confidence in the integrity of their own voting systems. 

Electronic voting is but one means a state or a locality might wish to 
employ. There are a number of others. But what kind of machine, device or 
even paper card is used is up to the states. 

But even more fundamentally, while Congress has a valid oversight function 
in enforcing federal laws, allow me to suggest that mandating a nationwide 
voting process, so comprehensive in scope that now we are discussing the 
mechanics of electronic voting apparatuses, is well beyond the purview of 
what the drafters and signers of the Constitution of our country ever 
envisioned. 

We should be concerned with voter fraud, to be sure. I trust we are all 
chilled by the cynical comment of the ruthless dictator Josef Stalin: “The 
people who cast the votes don't decide an election, the people who count the 
votes do.” 

But the federal government’s role in this matter should not diminish the 
rightful role of states in administering their own voting laws and practices. 


2 



77 


Thank you, Mr. Chairman. 


3 



78 


Mr. Clay. Thank you so much, Mr. Sali. 

Now, we will go to the gentleman from Kentucky, Mr. Yarmuth. 

Mr. Yarmuth. Thank you, Mr. Chairman. 

Could you, Ms. Hillman, offer us an opinion on how the EAC 
could alter the current accreditation and certification process in 
order for it to become more transparent and reliable? 

Ms. Hillman. Are you talking about the accreditation of the lab- 
oratories and the certifying of the systems? We are in discussions 
with NIST about that. When we established our certification proc- 
ess, we were in fact following the standard protocols used by, for 
one example, NIST’s Laboratory Accreditation Program. What we 
realized is that it will be useful to be able to provide updated infor- 
mation along the way before a laboratory is accredited, if people 
are interested in the status of that. 

I am not sure what mechanism. We are looking at the posting 
of information on the Web site, but what mechanism would be use- 
ful and informative to be able to keep people informed because the 
process takes several months to accredit a laboratory. 

And then similarly with the certification of the systems, the lab- 
oratories conduct the testing and then they provide a report to us. 
That report will be reviewed by technical reviewers at EAC before 
the recommendation comes for any certification. If there is concern 
that the machine go back for testing, that will be done. 

So we are looking at the process to see what is appropriate with- 
in those stages to make information available to the public about 
what the laboratory recommendation is at the time that it is made. 

Mr. Yarmuth. When you talk about 180,000 machines requiring 
updating to bring them into compliance with the requirements, and 
I guess part of it would depend on how extensive these 180,000 are 
or where they are, but would it make any sense to try to focus on 
the concentration of voting machines? Or are the electronic voting 
machines concentrated in, say, heavily populated areas? 

I understand the problem of requiring a lot of new technology 
and updated technology in relatively small communities, and 
maybe in some rural States. Is that a factor in trying to get imple- 
mentation of these requirements rolled out faster? Is that some- 
thing that we should be interested in? 

Ms. Hillman. One way to respond to your question, sir, would 
be to point out that the States of Maryland and Georgia currently 
use statewide DREs without a paper trail, and both of those States 
I think would be considered fairly heavily populated with major 
urban areas. 

In addition to that, the other large system without the paper 
trail would be in the State of Florida. Beyond that, there are juris- 
dictions all across the country. What is important to look at would 
be the process a State would have to go through to be able to ac- 
quire the equipment that would be needed to produce the paper 
trail. 

And so when I speak of the 180,000, depending on the technical 
requirements would determine whether a system would have to be 
upgraded or fully replaced, because some DRE systems do not have 
right now a printer that could be attached to produce the paper 
trail. So I think the timing and the requirements of it are impor- 
tant. 



79 


My own personal opinion is that the ultimate requirement should 
be in place with recognition if Congress were to pass the law, with 
recognition of how long should be allowed for States to meet that 
requirement. 

Mr. Yarmuth. I yield back my time. Thank you. 

Mr. Clay. Thank you, Mr. Yarmuth. 

Mr. Hodes. 

Mr. Hodes. Thank you, Mr. Chairman. 

Commissioner Hillman, I am trying to understand as a new 
Member some of the political dynamics at work around the issues 
that you are dealing with. I would like your perspective. 

I got a letter from my New Hampshire Secretary of State, Bill 
Gardner. He indicated to me that the National Association of Sec- 
retaries of State in 2005 passed a resolution calling on Congress 
not to reauthorize the EAC after the 2006 general election. He sup- 
ported that resolution and supported sunsetting the EAC, as was 
apparently called for in the original HAVA Act. 

My sense is that he is concerned that the EAC will usurp his 
right to control New Hampshire’s successful paper ballot system. 
Can you offer me any of your thoughts on what relations have been 
between the EAC and the Secretaries of State, and how you have 
responded to the concerns of the Secretaries of State about ulti- 
mately who will control the integrity of the voting system and how 
it has worked? 

Ms. Hillman. Thank you for the question. Let me begin by say- 
ing that the relationships with the National Association of Sec- 
retaries of State is a very healthy one. We were there the day that 
NASS adopted the resolution, and in fact we were testifying the 
same day that they made the information available to the House 
Committee on Administration. 

What I will say from those discussions is that it was less about 
the role of EAC, because HAVA has been very, very clear about the 
delegation of responsibility for the administration of elections to 
the States; that the Election Assistance Commission was set up to 
assist the States in meeting the requirements of HAVA. Along the 
line, we have to gather information to do that. We do have full re- 
sponsibility for the testing and certification of voting systems, but 
again, voluntary compliance on the part of the States. 

We have a fiduciary responsibility to how States are expending 
the funds, and we do receive annual reports from the States, and 
our Inspector General is required to audit the States. But that is 
with respect to making certain that States have spent their money 
both in compliance with HAVA, as well as in compliance with their 
own State HAVA plan. 

I do believe that I am not mis-stating this, that the States were 
more concerned about whether Congress would invest more author- 
ity in EAC, than to the authority that EAC has now, because we 
do not have the authority and we do not tell the States what types 
of systems they should use. We cannot even tell them what we 
think should be statewide standards for provisional voting. Again, 
that is left to the States. They determine the kind of testing and 
certification that will be done on the voting systems used in their 
States. 



80 


So I am hopeful. I do believe, based on the ongoing relations that 
we have with NASS, that issue is behind us. Although I will say 
that I know that election officials. State and local, are very con- 
cerned about what might be the next wave of election reform and 
what the requirements will be on those States. 

Mr. Modes. So if I understand what you have said, from your 
perspective, the States’ concern is that we in Congress would give 
more power to the EAC and that is what the Secretaries of State 
are concerned about. 

Ms. Hillman. At that time. I do not believe that is a continued 
concern, but that was in February 2005. That was 2 years ago. 

Mr. Modes. Have you heard any expressions of concern that the 
EAC is a creature, if you will, of the executive branch, with the 
President having the authority to appoint four commissioners with 
essentially de facto regulatory authority over the voting systems, 
although I hear your testimony that it is voluntary and you are 
providing assistance and guidance. But in essence, it seems you 
really are de facto having regulatory authority over the voting sys- 
tem. 

Have you heard any concerns that there are four Presidential ap- 
pointees, and that the Commission resides in the executive branch, 
say, as opposed to in Congress? 

Ms. Hillman. I have heard those concerns, nothing that the EAC 
has been called upon to talk about necessarily. I think a review of 
HAVA would show that while the commissioners are Presidentially 
appointed, each commissioner candidate is recommended to the 
President by the leadership of both the House and the Senate. 

Mr. Modes. Do you see any downside in moving the EAC to Con- 
gress in terms of where it resides, as opposed to the executive 
branch? 

Ms. Hillman. I can’t say that I am an expert in government op- 
erations, but it would seem to me that it might be difficult for some 
of the work assigned to EAC to be done outside of the Federal Gov- 
ernment administration, for example, the issuance of requirements 
payments or any funds to the States and the monitoring of those 
funds, or the whole process of setting up the voting guidelines and 
doing the testing and the accreditation. I just don’t know if a body 
of Congress should be responsible for accrediting laboratories, test- 
ing voting systems, and issuing the certifications. I don’t know of 
anything that has existed like that. Generally, those functions are 
within Federal Government agencies. 

Mr. Modes. Thank you. 

Ms. Hillman. Sure. 

Mr. Modes. Thank you, Mr. Chairman. I yield back. 

Mr. Clay. Thank you, Mr. Modes. 

Mrs. Maloney. 

Mrs. Maloney. Thank you, Mr. Chairman. 

I would like to ask Commissioner Hillman, the CIBER assess- 
ment report submitted to the EAC last summer documented the 
entirely inadequate testing performed by CIBER and Wyle, for that 
matter, on software used in over 70 percent of the voting systems 
last November. These systems had been sold to counties as having 
been tested and certified to Federal voting system standards. 



81 


Once they learned that the software testing was woefully inad- 
equate, did the EAC inform elected officials, not to mention the 
public, that would be using the equipment to count the votes? 

Ms. Hillman. Thank you. Congresswoman. I am just going to 
glance at my counsel while I answer this question because what I 
understand is that the certification was to assess the capacity of 
GIBER to perform testing under our program. We did not in that 
process assess or evaluate work they had done previously, work 
that GIBER had done before EAC, what was done for the National 
Association of State Election Directors. 

So the report to us did not include evaluation of work they had 
done previously, but rather whether or not they were capable to 
perform under our certification program. 

Mrs. Maloney. But didn’t the report show that it was inad- 
equately tested? That is the point. The point was that it showed 
it was inadequately tested. The question is, did you inform anybody 
that it was inadequately tested? 

Ms. Hillman. Again, Congresswoman, I don’t believe the report 
addressed prior work. It looked at their existing procedures against 
our requirements. So I don’t believe the report that we received on 
GIBER informed us of inappropriate or inadequate things they had 
done prior to our program. 

Mrs. Maloney. I believe that it did, but we need to look at it fur- 
ther. 

Let me just ask Richard Hite, in 2005 the GAO recommended 
that the EAC, “improved management support to State and local 
election officials by collaborating with the Technical Guidelines De- 
velopment Committee and the National Institute of Standards and 
Technology to develop a process and associated timeframes for 
sharing information on the problems and vulnerabilities of voting 
systems.” This is a GAO recommendation. 

I would like to ask you, Mr. Hite, do you feel it is the role of the 
EAC to inform elected officials and the public of problems encoun- 
tered with voting machines, even if those voting systems were not 
directly certified by the EAC? So should the EAC, if they are aware 
of problems, inform the public and elected officials? 

Mr. Hite. As my written statement brings out, we believe that 
any information that the EAC becomes aware of that would be 
deemed credible and useful to election officials, regardless of the 
source, whether it is from a vendor, whether it from an independ- 
ent authority, or whether it is from State and local jurisdictions, 
that information should be disseminated under their clearinghouse 
role. 

Mrs. Maloney. So particularly problems encountered with the 
machines should be definitely covered. 

Mr. Hite. Yes. 

Mrs. Maloney. Absolutely, probably more than any other reason. 
So therefore, going back to my first question to Commissioner 
Hillman, it was my understanding the GIBER assessment report 
documented inadequate testing, so therefore shouldn’t that then 
have been given to the counties and to the people with the voting 
machines? Maybe I will ask Mr. Hite the same question. Do you 
think they should have informed election officials and the public 



82 


that would be using these machines that the GIBER assessment re- 
port said they were inadequately tested? 

Mr. Hite. For me to answer the question, I would have to have 
some knowledge into the particular reports that are being talked 
about. I have not seen those and I don’t know the time line. 

Mrs. Maloney. OK, we will get them to you, then, and maybe 
you can get the answer back to us. OK? Thank you. 

Mr. Clay. Thank you very much, Mrs. Maloney. 

Mrs. Maloney. We have been called for a vote, Mr. Chairman. 
Are you aware? 

Mr. Clay. Yes, I am. 

That will conclude the testimony from panel one. Thank you, Ms. 
Hillman and thank you, Mr. Hite, for your testimony. You may be 
excused. 

Ms. Hillman. Thank you. 

Mr. Clay. I would like to now invite our second panel of wit- 
nesses to come forward. We have a series of six votes that follow. 
I would like to swear in the witnesses and possibly get their open- 
ing statements going. And then we will recess the hearing and re- 
convene. With six votes, it is going to take about an hour. 

Mrs. Maloney. An hour? 

Mr. Clay. An hour, I would bet you. So let’s see what we can get 
in now. 

If the next panel could come forward and make some brief open- 
ing statements, and then we will recess and make our votes. 

Our second panel is here with us today to address issues relating 
to electronic voting. Our first witness is the Honorable Robin 
Carnahan, who is Missouri’s Secretary of State. Our second witness 
is Avi Rubin, Ph.D, technical director of Information Security Insti- 
tute, Department of Computer Science, Johns Hopkins University; 
and Mr. John S. Groh, vice president. Election Systems and Soft- 
ware International, and chairman. Election Technology Council. 
Our fourth and final witness is Ms. Diane Golden, Ph.D, director 
of the Missouri Assistive Technology Council, on behalf of the Na- 
tional Association of Assistive Technology Act Programs. 

Welcome to all of you. It is the policy of the Committee on Over- 
sight and Government Reform to swear in all witnesses before they 
testify. At this time, I would like to ask you to stand and raise your 
right hands. 

[Witnesses sworn.] 

Mr. Clay. Thank you. Let the record reflect that all the wit- 
nesses answered in the affirmative. 

We will start with Ms. Carnahan, if you could please give us a 
brief summary of your testimony. 



83 


STATEMENTS OF ROBIN CARNAHAN, SECRETARY OF STATE, 
STATE OF MISSOURI; AVI D. RUBIN, TECHNICAL DIRECTOR, 
INFORMATION SECURITY INSTITUTE, DEPARTMENT OF 
COMPUTER SCIENCE, JOHNS HOPKINS UNIVERSITY; JOHN S. 
GROH, VICE PRESIDENT, ELECTION SYSTEMS AND SOFT- 
WARE INTERNATIONAL, AND CHAIRMAN, ELECTION TECH- 
NOLOGY COUNCIL; AND DIANE GOLDEN, DIRECTOR, MIS- 
SOURI ASSISTIVE TECHNOLOGY COUNCIL, ON BEHALF OF 
THE NATIONAL ASSOCIATION OF ASSISTIVE TECHNOLOGY 
ACT PROGRAMS 

STATEMENT OF ROBIN CARNAHAN 

Ms. Carnahan. Thank you, Mr. Chairman. It is an honor to be 
here with you today. As one of your constituents, I am pleased to 
see you up in the Chair. 

I am Secretary of State Robin Carnahan of Missouri. It is my job 
as the chief elections officials in my State to ensure that elections 
are run in a fair, secure, and accurate way. I want to share with 
you today some of the things that happened in the 2006 election. 

By all accounts, the election in Missouri was one that was fair 
and accurate and secure. Over 2 million people voted. That was 53 
percent of the vote. In most instances, it went efficiently and 
smoothly. This was particularly noteworthy because of all the 
changes that were required after the Help America Vote Act and 
the new machinery that was put in place. 

I will be clear: elections in Missouri are run locally. They prob- 
ably are that way in your State as well. Locally elected public offi- 
cials run those elections in most places. In the larger metropolitan 
areas, there are appointed election boards. What we have done is 
documented the instances of problems that happened in the elec- 
tion, but also the successes. We put out a report about that, and 
we have a copy that we have submitted for the record. It is called 
Voters First: An Examination of the 2006 Mid-Term Election in 
Missouri. 

The successes were clear. We were able to implement the HAVA 
changes in a way that was fair and accurate. We got rid of punch 
card ballots. We got the new optical scan and DRE equipment. This 
new equipment was accessible for people with disabilities. We had 
the most accurate voter lists we have ever had in the State of Mis- 
souri. 

So there were significant improvements. But there were also 
some issues, and I want to identify what a couple of those were. 
The first and clearest and most obvious was that there were long 
lines at the polls. It took people a long time to vote. It stemmed 
from a number of things, in part because of the new machinery, in 
part because of a need for more training of poll workers, in part 
because there were some places that ran out of ballots. 

We have a number of recommendations that we have put forward 
about how we can deal with those issues, including having early 
voting in our State, as well as ensuring that there are adequate 
numbers of paper ballots for every person that can go and vote 
there. 

There were also some issues surrounding some of the new voting 
equipment. We have 116 election jurisdictions in Missouri. The pri- 



84 


mary voting system is an optical scan paper ballot. There is a DRE 
in every voting precinct, as required by HAVA. But unlike other 
States, we have paper trails for every vote that is cast in Missouri. 

In the main, that equipment worked well. There were some prob- 
lems, but in the main the equipment worked well. I will also tell 
you that we did a statewide recount already, using those paper 
trails, including the paper trail on the DRE machine in our August 
primary election. It did not change any results. 

My recommendations on this front are that we need to have peo- 
ple obviously more familiar with the new machines and the poll 
workers in particular who are familiar. 

Another common theme that we saw was that there was some 
misinformation. There were issues surrounding this in our State 
because there were changes in what the voting requirements were 
going to be and what kind of ID was required. One out of five com- 
plaints that we got in our office were about the wrong ID require- 
ments being asked for at the polls. 

There were a couple of registration issues that we saw, but there 
are a number of ways I think we can address those. Congressman, 
we have talked about those, some being automatic voter registra- 
tion when you get a driver’s license with the DMV, or also same 
day registration, which is being looked at in a number of States. 

I know that you all are looking at a number of changes, the Holt 
bill and others, that will affect elections and how they are run. I 
would just stress to you to keep in mind the principles that the Na- 
tional Association of Secretaries of State have put forward. Let me 
just quickly go over those. 

The first is to avoid preemption of State authority. Obviously, 
elections are run locally. If you all are going to take over the elec- 
tion process, that is a big change in our country and it will take 
money to do that. The second is provide reasonable timeframes for 
implementation, and don’t do things that raise expectations that 
can’t actually be met by the local election officials. 

Third is to gather in put from people who actually run the elec- 
tions on the ground before you make any of these changes. And of 
course, guarantee full funding for any mandates that come down. 
And finally, to encourage the use of maximum flexibility once you 
set the goal, let the States figure out how to meet those goals. 

That is all I have to say today. I know that you all need to get 
away. 

[The prepared statement of Ms. Carnahan follows:] 



85 


Capitol Office 
Room 208 
(573) 751-2379 



Robin Carnahan 

Secretary of State 
State of Missouri 


James C. Kirkpatrick 
State Information Center 
(573) 751-4936 


TESTIMONY OF SECRETARY OF STATE ROBIN CARNAHAN 

Information Policy, Census, and National Archives Subcommittee 
“Ensuring Fairness and Accuracy in Elections Involving Electronic Voting Systems” 

April 18, 2007 


I want to thank the committee members and Congressman Clay for inviting me here to speak 
with you all today. 

My name is Robin Carnahan, and I am the Secretary of State for the State of Missouri. 

As the chief election official for the state of Missouri, it is my job to help ensure fair and accurate 
elections. Today, I’d like to share with you information on election administration in 2006 in 
Missouri - a year of many changes. 

By all accounts, the 2006 elections in Missouri were fair, accurate and secure. In November, 
over two million voters, or 53 percent of Missouri’s eligible voters, cast a ballot. In most areas, 
elections were smooth and efficient as well. This is particularly noteworthy because of the many 
federal law changes that were implemented for the first time in this election. 

In Missouri, all elections are actually run at the local level, and we have 116 separate election 
jurisdictions in the state. So, the credit for this success is due to the hard work and dedication of 
Missouri’s local election officials, their staff and our dedicated poll workers. 

To document what happened in the election, my office drafted and released to the public a report 
called “Voters First; An Examination of the 2006 Midterm Election in Missouri.” This report 
provided an examination of both the successes and the issues that voters and election officials 
encountered on and around Election Day. 

First, the successes of the 2006 election included 

• fair, accurate and secure elections; 

• replacement of punch card ballot systems with printed paper optical scan ballots 

• new voting equipment that is accessible to people with disabilities as well as 

• the most accurate voter list Missouri has ever seen. 

• Also, the absence of any reports of voter impersonation or voting fraud in the 2006 
election in Missouri was notable. 


PO Box 1767 • Jefferson City, Missouri • 65102 
www.sos.mo.gov 



86 


There are several recurring issues and themes that we were able to identify, and the report 
concluded with a number of reconunendations to make improvements in those areas. 

LONG LINES 

First, one of the recurring complaints from all over the state was that many voters had to wait too 
long in line to vote. The long lines stemmed from a number of different issues, from a few 
polling places running out of ballots, to poll workers and voters learning to deal with new 
technology. 

A recommendation to cut down on the long lines voters face on Election Day in Missouri is 
through Early Voting, as currently allowed by at least 30 other states. 

NEW VOTING EQUIPMENT 

Another recurring issue surrounded the new voting equipment. 

The 2006 election was the first election in which all 116 Missouri local election authorities used 
some form of new voter technology in order to be in compliance with federal and state law. In 
Missouri, it is the ultimate responsibility of the local election authorities to choose and purchase 
the voting equipment used in their jurisdiction. 

The Office of Secretary of State provided guidance to the local election authorities to help ensure 
that new voting equipment is secure, accessible, and accurate. 

All Missouri counties used a combination of optical scan voting systems in which voters mark a 
printed paper ballot and that ballot is put into an optical scan machine for counting, as well as at 
least one DRE or “touch screen” voting machine with a voter-verified paper audit trail in every 
polling place. 

So unlike in some other states, all votes cast in Missouri included a paper record of the vote. 

Although we did receive a few reports of issues with both the optical scan and touch screen 
voting systems, overall new voting equipment worked well. The majority of Missouri voters 
voted on optical scan voting machines, and the remainder voted on DRE machines. 

Missouri also conducted one statewide and a few legislative district recounts in 2006 using the 
new equipment. The recounts used the optical scan paper ballots and the voter verified paper 
audit trails and were thorough and accurate. 

We made a few recommendations for improvements in this area to ensure transparency and voter 
confidence. First, enhance training materials for local election officials on current rules and 
procedures for testing and use of new voting systems, and second, develop methods to better 
educate voters about how to use new voting systems. 

POLL WORKERS 


Secretary of State Robin Carnahan 
04/18/07 


2 



87 


Another common theme we noticed related to poll workers both in terms of numbers and 
training. 

In an election full of changes and new voting equipment, Missouri’s poll workers did an 
impressive job. But, we need more people, especially technologically savvy people, to get 
involved, so we recommended efforts like increasing recruitment, using students, and allowing 
poll workers a day off work with pay, just as if they were serving on jury duty. 

VOTER MISINFORMATION 

We also received a number of reports about voter misinformation in the 2006 election. 

One month before the election, in October 2006, the Missouri Supreme Court upheld a lower 
court ruling that struck down as unconstitutional a photo ID law that was passed by the 
legislature. 

Thus, it is particularly noteworthy that the type of voter fraud allegedly prevented by photo ID — 
voter impersonation at the polls — was not reported as a problem in Missouri. 

However, there were reports of voter misinformation and nearly one out of every five complaints 
received by the Secretary of State’s office concerned a voter being asked for the wrong type of 
identification at the polls on Election Day. Our recommendations include uniform voter 
education materials and greater poll worker training to address this issue. 

VOTER REGISTRATION 

Issues surrounding voter registration were reported in the press and to our office. 

Since the 2004 election, much had been done to improve the voter registration process in 
Missouri. In addition to the new statewide voter registration database list, a new state law 
required that anyone being paid to register new voters must be registered with the Secretary of 
State’s office. 

One of our recommendations on this topic was to explore the feasibility of Election Day voter 
registration and/or automatic voter registration for those who are qualified to vote when they 
apply for licenses at Missouri DMV offices. 

Also, in 2005, the Department of Justice sued the state of Missouri and the Secretary of State’s 
office over alleged violations of the National Voter Registration Act. This past Friday, a federal 
judge ruled that my office not only complied with federal law with regard to voter registration 
lists, but also went beyond its requirements through our many efforts to assist the county clerks 
and election boards with their responsibilities. The ruling also confirmed that there is no 
evidence of voter fraud in Missouri. 

I know that you are discussing a lot of important federal election reforms here in the Congress. 
As you discuss how best to proceed with legislation that would affect elections, I hope you will 
keep in mind these five principles adopted by The National Association of Secretaries of State 

Secretary of State Robin Carnahan 
04/18/07 


3 



88 


(NASS) regarding federal election reform efforts: 

• Avoid preemptions of state authority. 

• Provide reasonable timeframes for implementation. 

• Gather input from state and local officials. 

• Guarantee full funding for federal mandates. 

• Allow for maximum flexibility for state implementation. 

In closing, I want to thank you for inviting me here to testify before the committee today and for 
your work on these important issues. Ensuring both the integrity of our nation’s elections and the 
confidence of the American people is a vital charge. 1 hope my comments help as you work to 
achieve these common goals. 

Thank you. 


Secretary of State Robin Carnahan 
04/18/07 


4 



89 


Mr. Clay. Thank you so much, Madam Secretary, for that abbre- 
viated presentation. 

We will try Dr. Rubin, and see how far we can go. You may pro- 
ceed. 


STATEMENT OF AVI D. RUBIN 

Mr. Rubin. Thank you very much, Mr. Chairman and members 
of the committee. 

My name is Avi Rubin. I am a computer science professor at 
Johns Hopkins University. My background and training are in the 
area of computer security. In 2003, I made electronic voting my pri- 
mary research focus. 

After reviewing the source code of the Diebold DRE voting ma- 
chine and finding serious security problems there, I also published 
a report outlining the risks of these machines. After that, I became 
an election judge and worked two primaries and two general elec- 
tions in Baltimore County to get a feeling for the process, and un- 
derstand exactly how it works from a non-academic perspective. 

I found that there were many other computer science professors 
around the country like myself who were working on electronic vot- 
ing and for whom electronic voting was very important. We decided 
rather than duplicating effort and working everyone in their little 
island, to join forces and try to create a center to study electronic 
voting. We made a proposal to the National Science Foundation to 
establish the ACCURATE Center. The Center was funded to the 
tune of $7.5 million over 5 years. I am the director of ACCURATE. 

Our main focus is to explore the design space of voting machines 
to better understand how the next generation of voting machines 
can be designed. We also perform outreach into the community by 
working on things like post-election audits like we had in Sarasota 
County that we were involved with, and working as election judges 
and poll workers and poll watchers. 

Finally, we educate students by teaching courses that focus on 
issues related to electronic voting. 

The discussion of voting machines has focused primarily on three 
types of technologies these days. Those are DREs, optical scan 
paper ballots, and DREs with a voter-verified paper record or paper 
trail. The primary difference between DREs and other voting sys- 
tems is that a DRE is a software application running on a com- 
puter. It is typically running over the Windows operating system, 
although not all do. There are no ballots. The votes are kept on 
memory cards like the ones you might have in a digital camera, 
and there is another copy usually kept in the internal flash mem- 
ory. 

Now, optical scanners use software as well. DREs are not the 
only ones that use software. They use software to read the scanned 
images, to process the images, and to tally the votes. But there are 
two important differences between the software in a DRE and the 
software in an optical scanner. The first difference is the amount 
of software. A DRE utilizes tens of thousands of lines of code, and 
the DRE operating systems that these DRE applications run on top 
of are typically millions of lines of code. An optical scanner can be 
written on hundreds of lines of code, so it is much simpler and easi- 
er to analyze. 



90 


The second difference is that DREs produce no ballots, so they 
cannot be independently audited. Optical scanners can be audited 
and the ballots can be recounted. 

Let me take these two differences one at a time. First, the 
amount of software. If you haven’t programmed a computer, it is 
hard to appreciate how different software is from anything else. It 
is highly complex and they are hidden in our actions between com- 
ponents and software. This is why some of the problems you may 
run into in a software system might not be replicable. You might 
have one section of software in a particular State, and then another 
section of software in an another State, and that combination of 
States creates an unexpected output. 

So you can find, and we often do see, that software systems can 
misbehave in surprising ways that cannot be reproduced and we 
cannot really understand exactly what happened. We can never 
know that a software system is free of bugs. In the discipline of 
software engineering, the No. 1 metric for how many bugs there in 
a program is the number of lines of code. More software means 
more bugs. So voting machines that have a lot of software are 
going to have a lot more bugs. 

I run short contests in my class where I have the students write 
very small programs. I am talking five or six lines. And then I have 
other students in the class try to evaluate these programs and find 
any bugs that are inserted there on purpose. I overwhelmingly find 
that it is much easier to create software bugs and to hide bugs 
than it is to find them. Finding software bugs is not something that 
can be done scientifically. It is an art right now and it is an imper- 
fect art. 

I see that I am running out of time. I know you have somewhere 
to be, so I am going to leave a lot of what I had to say for the ques- 
tion and answer. But let me just wrap up by pointing out that 
NIST defines the concept of software independence, which is that 
a previously undetected change or error in the software cannot 
cause an undetectable change or error in election outcome. I think 
that is the right standard. I think that there are going to be 
undetectable bugs in software systems and we cannot have them 
affect the outcome. 

The only way that I know of right now to actually achieve soft- 
ware independence is with paper. 

[The prepared statement of Mr. Rubin follows:] 



91 


Testimony, U.S. House Subcommittee on Information Policy, Census, and National 
Archives 

Rayburn House Office Building, Washington D.C. 

Dr. Aviel D. Rubin, Professor of Computer Science 
April 18, 2007 

My name is Avi Rubin. I am a Professor of Computer Science and Technical Director of the 
Information Security Institute at Johns Hopkins University. I am also President of Independent 
Security Evaluators, a computer security consulting firm. I am author or co-author of several 
widely used books on the subject of computer and network security. My latest book. Brave New 
Ballot (Random House, 2006) is on the security of electronic voting. I received my Ph.D. in 
Computer Science from the University of Michigan in 1994 in the field of Cothputer Security. I 
have been specializing in research issues related to electronic voting since 1997, and I am a 
member of the National Committee on Voting Integrity. 

In 2003, 1 made electronic voting my primary research focus after reviewing the source code of 
the direct recording electronic (DRE) voting machines used in my state of Maryland. My research 
team identified numerous security problems with that system, and tye published a report outlining 
the risks of using the Diebold machines in elections. Following this academic project, I 
volunteered to become an election judge in Baltimore County to gain hands on experience 
running elections, to inform my security research. I have worked the 2004 and 2006 primary and 
general elections, and I am signed up to be an election judge again in 2008. 

Together with several colleagues from Berkeley, the University of Iowa, Rice University, 
Stanford, and SRI, I approached the National Science Foundation (NSF) to establish a center for 
studying electronic voting. The NSF funded A Center for Correct Usable Reliable Auditable and 
Transparent Elections (ACCURATE) at a total of $7.5 million over five years. I am the director 
of the center. Our focus is on exploring the design space for voting machines so we can better 
understand how the next generation of these machines must be constructed. Our investigators 
include a psychology professor, a law professor, and eight computer scientists. The three primary 
goals of ACCURATE are research, outreach, and teaching. Our research focuses on developing 
technologies that can improve voting systems. Our outreach effort focuses on working with the 
elections community to help them understand technology and policy issues. For example, we 
participated in post-election audits in 2006. Finally, we have designed curriculum to teach our 
students about the important issues in electronic voting. 

Our ACCURATE research consists of several thrusts. One of our projects involves performing 
usability testing to compare different types of equipment. We can test design prototypes against 
human subjects to find out whether they are usable. We also provide coordinated responses to 
requests, such as those from the EAC. For example, we provided detailed comments on the 
proposed VVSG. In addition, we are performing basic research in computer security to create 
technology for future generations of voting systems. For more information about the activities of 
ACCURATE, our 2006 annual report, which lists all of the principal investigators, as part of my 
written testimony is available online.' 


http://accurate-voting.Org/wp-content/uploads/2007/02/AR.2007.pdf 



92 


The Maryland bills in the State House and Senate are similar to the bill proposed by US 
Representative Rush Holt (H.R. 811) and one that is expected from US Senator Dianne Feinstein. 
It is not too late to fix the problems with our voting systems before any more elections are run on 
insecure and non-auditable platforms. It should be noted that the best technology for voting is 
also one of the least expensive, 

DREs with which so many jurisdictions like Maryland are now saddled, cannot be properly 
audited. However, audits are critical components of any security sensitive system. They provide 
assurance that a correct result was achieved. A proper audit has the following properties: 

External to the system. For example, printing the results from a DRE and counting them 
does not constitute an audit. 

Publicly observable 
Reproducible 
Well defined 

The goal of an audit is not necessarily to obtain the same result as in the election, but rather, to 
have a process where increased accuracy can be achieved with an increase in effort. A proper 
audit capability can also result in better failure detection and recovery. 

A paperless DRE cannot be properly audited. Period. There are no records external to the system, 
and electronic data cannot be publicly observable. Furthermore, a DRE with a voter verified 
paper record (VVPR) is not as good as a paper ballot system with precinct-level op-scan 
counting. Here are the properties of optically scanned paper ballots that make them superior to 
any form of DRE voting. 

- Faster voting eliminates or minimizes long lines because voters do not have to wait for 
machines to fill out their ballots. Scanning paper ballots takes seconds, whereas voting on 
a DRE takes minutes. 

Even if the equipment fails, voters can keep voting. This is not true of DREs. 

- The technology is cheaper, with only one scanner and one ballot marker needed per 
polling place. 

Audits are do-able, and much easier to perform than with commercial VVPR systems. 
Redundant tally issues (paper vs. electronic) are simpler than in VVPR systems. 

Ballot marking systems and external verification systems make paper ballot systems as 
accessible as DREs, and potentially more accessible that DREs with VVPR. 

It is easier to preserve privacy than with VVPR, because most VVPR solutions store the 
paper records sequentially. 

It is easier to use paper that is durable. 

The operation is simpler and more transparent to voters. 

Less software is required. 

The system is simpler to administer. 

Finally, I believe that NIST provided the best guidance when they suggested that a voting system 
is Software Independent, “if a previously undetected change or error in its software cannot cause 
an undetectable change or error in an election outcome.” Today’s DREs are anything but software 
independent, and I believe the only way to achieve software independence today is with paper 
ballots. 



93 


Mr. Clay. Thank you so much, Dr. Rubin, for that testimony. 

Mr. Groh and Dr. Golden, the committee will recess now. We will 
reconvene very shortly after the final vote. If you could just bear 
with us, we will come back to you. 

The committee stands in recess. 

[Recess.] 

Mr. Clay. The Committee on Oversight and Government Reform 
will come to order. We left off with Mr. Rubin. We will go to Mr. 
Groh. You may present your testimony. 

STATEMENT OF JOHN S. GROH 

Mr. Groh. Thank you, and welcome back. 

I will dispense with a little bit of my background and who I am, 
but I do represent the Election Technology Council as the chair- 
man. The member companies of the Election Technology Council, 
we account for over 98 percent of the ballot tabulation in the 
United States. So this is made up of the people who are the stake- 
holders in supplying the technology to the election community. 

The other point I would make is my voice today is also a voice 
of over 1,000 individuals that are citizens, voters and employees of 
these vendor companies, who live in over 33 States. So we have a 
large constituency of individuals that work in the voting industry 
and we are proud to have done that. 

We all know that historically the 2000 election launched for the 
first time a national debate on elections. I think everybody was 
ready and it was well overdue that it happened. This was not a 
surprise at what happened in 2000 to any of the voting officials be- 
cause they had been dealing with this for years. 

But I want to remind the subcommittee of a couple of key dates, 
because I think we need to recognize that there were two events 
going on. One is there was an old system that all of us were operat- 
ing under that was run by the National Association of State Elec- 
tion Directors. This was then propagated by the 2000 election. We 
had some changes. So I would remind you that in October 2002 is 
when HAVA passed, but it wasn’t until March 2004 that the EAC 
first came into formation, a brand new agency. It was very, very 
difficult to get traction and get themselves going. 

So there is a little bit of a reminder that the EAC has done a 
lot. Have they done everything they could do? Absolutely not, but 
they are on path to do all of it. It is just that they have a lot to 
do. 

We as the vendor community, we believe that there was one sin- 
gle goal of HAVA. Actually, I would like to recant that and say I 
think there were two. One was to ensure that every vote counted, 
but I think a bigger one was to assure that every voter is able to 
vote unassisted. That has been one of the mantras of the vendor 
community, was to come up with methodologies to allow everybody 
to vote. The ETC is open to all companies that wish to be in this, 
so we are a pretty broad group of individuals that are in this. 

I want to talk a little bit about a few areas that the committee 
has asked to hear about, and a couple that you haven’t. We do 
know that one of them is time. Time is a very important element, 
and HAVA did not allow enough time. We would recommend that 



94 


anything that Congress does going forward, please allow enough 
time for local and State jurisdictions to implement that. 

The second one would be the cost factor that goes into anything 
that is being mandated or required of State and local jurisdictions 
that in fact can happen. 

And the third is to not give up and remove the accessible voting 
strides that we have made in the last 2 or 3 years with new tech- 
nology that is out there. 

Now, I will talk a little bit about some subjects that you had 
asked for a little more detail. One of them was the area of security. 
I am also going to talk about voting system certification, and then 
also I want to divert a little bit into source code and the area of 
the openness of source code. 

One of the things around security that everybody is focused on 
is trying to make the technology be something that handles every- 
thing in the security. It can’t. One must recognize that security is 
an end to end process and you account for the totality of cir- 
cumstances that can impact the security element. 

Prior speakers have all addressed that, and I think it is some- 
thing that we, as election vendors, also understand that you have 
to have good practices. We have submitted along with our testi- 
mony, the testimony of Donetta Davidson, Chair of the EAC, that 
she provided I believe on March 15th. That is attached to my testi- 
mony as a supplement to it. 

To quote what she had put in hers, that the fundamental election 
administration process is to protect the entire voting process will 
always be important, even as voting technology evolves. Focusing 
solely on the reliability of voting systems is not enough, and Fed- 
eral certification for the system cannot take the place of solid, thor- 
ough management procedures at the State and local levels to enure 
the system is managed and tested properly. That is one of the 
things that we will continue to talk about in our dialog with dif- 
ferent committees. 

If I move over to the certification process, one of the things that 
certification is, they are on a path to launch a new certification pro- 
gram. They just haven’t had enough time to get it implemented. All 
of us were working under the old certification process run by 
NASED. I have provided for you two diagrams, one pre-January 1, 
2007, when EAC took over and has implemented a new certifi- 
cation process. I wanted you to have a view of what it was like be- 
fore and what it is like as we look into the future. Please give the 
EAC enough time to implement that. 

And the final one was on voting system source code. The ETC 
members are in agreement that we think there needs to be best 
practices put out there, and some type of an oversight of how 
source code is to be looked at. I have submitted, along with my tes- 
timony, from the ETC members that of Britain Williams, Ken- 
nesaw State University professor, with over 20 years of election ex- 
perience. He has put together some recommendations. We embrace 
those as a good process to start that, and would ask the Chair and 
the committee to look at those. 

With that, I am open to any questions you would have. 

[The prepared statement of Mr. Groh follows:] 



95 


Testimony before the Subcommittee of Information Policy, Census, and 
National Archives, Committee on Oversight and Government Reform 

April 18, 2007 

John Groh, Chairman, Election Technology Council 


My name is John Groh and I am a Senior Vice President with Election Systems & 
Software. I am here to provide testimony on behalf of the Election Technology 
Council (ETC). The Election Technology Council consists of companies which 
offer voting system technology hardware products, software and services to 
support the electoral process. These companies have organized as an association 
to work together to address common issues facing our industry. Membership in 
the ETC is open to any company in the election systems marketplace. 

The historic General Election of 2000 led to the largest election reform legislation 
in the nation's history, "The Help America Vote Act" of 2002 (HAVA). At the 
very core of this sweeping legislation was one goal, "to ensure that every vote 
counts". This testimony is intended to provide insights and discussion points 
from the ETC members to concerns about the security and reliability of electronic 
voting systems, vulnerabilities in the development of system software code, and 
industry challenges to developing more reliable accreditation and certification 
programs for systems. 

The members of the ETC have provided election services and products to 
thousands of voting jurisdictions over the past several years. In addition to 
providing equipment and services, ETC member companies invest millions of 
dollars in research and development every year to help improve the quality, 
accuracy and credibility of elections. Collectively we serve more than 95 percent 
of all election jurisdictions in the U.S. The members believe that elections should 
be accurate, secure, accessible and transparent and are dedicated to continuous 
improvement and the evolution of our products and services to continue in the 
achievement of our goals. The 2006 general election demonstrated the effective 
utilization of electronic voting stations (many with voter-verifiable paper audit 
trail printers) and optical scanners. The members of the ETC are committed to 
continuing to serve as stakeholders and partners with election officials to ensure 
that the mandates of HAVA are complied with in full. 


April 1 8, 2007 Testimony 


5:55 PM4/1 6/2007 



96 


Certification Processes 

Election systems manufacturers continually conduct new product development 
to enhance current voHng equipment and innovate the next generation of voting 
technology. This development process is driven by state and federal election 
laws and standards that establish specific voting system requirements. 

Software / Firmware 

After internal vendor development, documentation, and quality assurance, to be 
cerdfied to federal voting systems standards, a voting system and its component 
parts must go through extensive testing conducted by EAC accredited Voting 
System Testing Laboratories (VSTL). VSTL's review line-by-line the software and 
firmware source code to ensure compliance with standards and overall integrity. 
Once complete, a VSTL will perform and witness the compilation of the source 
code into program executable files. VSTL's test the functionality of the voting 
equipment using compiled code to ensure it operates accurately - that votes are 
properly captured, results are properly reported, and data is properly retained. 
To pass the accuracy test, a system must tabulate 1.5 million votes with 100% 
accuracy. 

Votine System Hardware 

VSTL's test the operation of the voting system hardware to ensure it can 
withstand extreme environmental conditions and intensive human handling. If, 
at any point in the testing process, a VSTL identifies an issue that must be 
addressed, a product or component part is sent back to the vendor for addittonal 
development and resubmission through the whole VSTL testing process. Only 
after the system or component has passed every test is it deemed qualified for 
federal certification. 

State-level Certification 

Presently ~thirty-six states (36), federal certification is only a first step before a 
voting system can achieve state certification. In many cases, the state will carry 
out its own independent testing of the accuracy, security, and reliability of a 
system. State testing (which varies state-to-state) expands upon and enhances 
testing at the federal level. A state also will compare a product's features and 
functionality against state law and standards to ensure it complies. Many states 
require the vendor to escrow a copy of the certified system software. 

Local Jurisdiction 

Locally, after vendor production testing prior to shipping, the local election 
authorities conduct acceptance testing to ensure the voting system equipment 


April 18, 2007 Testimony 


5:55 PM4/16/2007 



97 


Secondly, the source code is provided to the Voting System Testing Laboratories 
(who are accredited by the EAQ for use in testing and certifying voting systems. 
~Thirty-six (36) states also require the manufacturer's source code as part of their 
certification and review process; in every instance that source code is provided. 
Customers and/or states may also require the manufacturer's source code be 
escrowed with the code being provided under escrow agreements. 

Also, after software is federally certified, election system vendors voluntarily 
submit the executable code to the National Software Reference Library, which 
archives a validation code for future reference. This allows any jurisdiction to 
verify the delivered system software against the archived validation code to 
ensure it is the certified version. 

The ETC members believe that a good process for disclosed source would be like 
the attached the testimony concerning the Open Source Software debate from 
election expert Britain Williams, Ph.D. Dr. Williams is Professor Emeritus, 
Kennesaw State University whom has more than 20 years experience in 
computer based training. Dr. Williams's testimony is from the Election 
Subcommittee Hearing on Election Reform on March 15, 2007. (See attachment 

E) 


Concluding Remarks: 

In providing this testimony, our intention is to give feedback to the 
Subcommittee of Information Policy, Census, and National Archives, Committee 
on Oversight and Government Reform on the consequences to the vendor 
community and, as we see it, to the states and election jurisdictions - our valued 
customers whom we serve. 

Above all, the ETC member companies and employees aim to be responsive to 
voters, local election officials. State and Federal government, and is committed to 
providing safe, secure, accurate, reliable and accessible voting systems. We are 
all involved in this process together, and by working together we can improve 
the process of voting, voter access and participation. 


April 18, 2007 Testimony 


5:55 PM4/16/2007 



98 


Mr. Clay. Thank you very much for that testimony. 

And last, but not least, Dr. Golden. Thank you for your patience 
and thank you for being here. 

Ms. Golden. Not a problem at all. You just saved the best for 
last, right? I assumed that. 

STATEMENT OF DIANE GOLDEN 

Ms. Golden. I am here to talk about accessibility for people with 
disabilities. I am not here to support or oppose paper, electronic, 
combinations. It doesn’t really matter to me as long as the system 
delivers accessibility for people with a broad range of disabilities. 

A couple of principles. If indeed you are going to use a paper bal- 
lot for security reasons, and it is a determinant ballot of record 
that can be counted as an official ballot, then it has to be acces- 
sible. I can’t emphasize that enough. There are actually, most re- 
cently a report by NIST to the Technical Guidelines Development 
Committee of the EAC that suggested that perhaps it wasn’t im- 
portant for people with disabilities to verify their paper ballot; that 
it would be enough for people without disabilities to verify ballots 
and that should be sufficient. I can just tell you in no uncertain 
terms that is not going to be sufficient. 

If a paper ballot is going to be used, it needs to be able to deliver 
the same access features as one can get from an electronic ballot. 
Unfortunately, if I am the wet blanket in the room, electronic infor- 
mation is very, very easy to make accessible. Paper is much more 
challenging to be made accessible. In order to manipulate the infor- 
mation on paper, you pretty much have to convert it into an elec- 
tronic form so that you can deliver accessible media and formats. 

So what we are faced with right now are, as people have talked 
about previously, two primary voting systems: DRE electronic vot- 
ing systems, with paper added in a printer form; or ballot marking 
devices where the vote starts and ends as paper. The person with 
a disability interacts with both of those electronically, so there is 
a wide range of access features. Blind people can use the tactile 
audio ballot. People with low vision can use enlarged print. People 
with motor disabilities can use switch input, large tactile input, 
and mark the ballot with very little motor skills involved. 

Unfortunately, both of those current systems have glaring acces- 
sibility problems. If you start out with a base DRE and add a print- 
er, the print on the paper needs to be accessible some way. The 
only way to do that is to scan it back in and reproduce it electroni- 
cally so that someone with low vision can see it in large print, and 
someone who is blind can get it auditorily. Right now, we don’t 
have any DREs with WPATs that have that capacity. So for all 
of the jurisdictions that currently provide DREs with VVPATs, and 
Missouri is one of them, people with disabilities can’t verify the 
print on that paper. If that becomes a determinative vote of record, 
then the person with the disability never was able to verify the ac- 
tual vote. 

Ballot marking devices have their own problem. The vote starts 
and ends paper, so I take my paper ballot, insert it into the ballot 
marking device. I interact with it electronically. It marks my ballot 
for me, but then it spits it back out to me and I have to physically 
handle it. I have to reinsert it in that machine or insert it in a pre- 



99 


cinct counter to verify. I may have to insert it in a ballot box to 
finally cast it. All of that takes motor skills that if I am a quad- 
riplegic I don’t have. 

So for both of the systems that we have out there that have 
paper, we have access problems. The situation facing people with 
disabilities who have voted on paperless systems is they have had 
pretty much complete accessibility available. By adding paper back 
into the voting process, we have reintroduced access barriers. 

Are they solvable? Yes. We can solve these. People have been 
doing assistive technology for years, and we have ways of solving 
these problems. As was pointed out, it is going to take time and 
money to do that. So in terms of any kind of paper mandate, 
whether it is at a State level, and Missouri is one of the States 
where we pretty much have a paper mandate, we need to address 
this and we need to address it quickly, and we need to make sure 
it gets done so that we have not again disenfranchised people with 
disabilities by deciding that paper is the way we need to go for se- 
curity purposes. 

With that, I will close and I am more than willing to answer 
questions. 

[The prepared statement of Ms. Golden follows:] 



100 


Testimony before the C mmittee n Oversight and 6 vernment Ref rm 
Information Policy, Census, and National Archives Subcommittee Hearing 
Ensuring Fairness and Accuracy in Elections Involving Electronic Voting Systems 

April 18, 2007 


Presented by 

Diane Cordry Golden, Ph.D. 

Director, Missouri Assistive Technology 
On behalf of the Association of Assistive Technology Act Programs 


Chairman Clay and members of the committee, thank you for the invitation to testify today. 
My name is Diane Golden and I currently work as the Director of Missouri Assistive 
Technology, the congressionally mandated statewide program in Missouri that provides 
assistive technology, including computer adaptations, for individuals with all types of 
disabilities. In addition to program administration duties, I serve on the Board of the 
Association of Assistive Technology Act Programs and provide technical support to the 
National Disability Rights Network on voting equipment access issues. I currently serve on 
the Telecommunications and Electronic and Information Technology Advisory Committee of 
the U.S. Access Board working on revising the standards for information technology 
accessibility as required by Section 508 of the Rehabilitation Act. I have also provided 
invited testimony to the Election Assistance Commission (EAC) and the Technical Guidelines 
Development Committee (TGDC) on accessible voting systems. 

Congress has recognized the need for specialized expertise in assistive technology by 
funding State Assistive Technology Programs in the 56 states and territories. These 
programs are required to address the assistive technology needs of individuals with all types 
of disabilities. A multitude of other federally funded programs focus on unique aspects of 
assistive technology and specific populations of individuals with disabilities. Historically in 
the discussions surrounding voting security and how to ensure accessibility, assistive 
technology expertise has not been effectively utilized. Individuals with unbiased knowledge 
and expertise In assistive technology have not typically been involved in discussions 
regarding voting security even though many proposed solutions impacted accessibility. 

As a preface to these comments, I want to emphasize that the disability community shares 
the interest of all Americans in ensuring that elections are fair, secure and accurate. From a 
personal perspective, I do not support or oppose a requirement for paper ballots if deemed 
necessary to ensure security nor do I want to outlaw or promote any particular voting 
system. My expertise and focus is on accessibility. To that end, I am here today to Identify 
issues critical to ensuring fair, accurate and accessible voting and to highlight the challenges 
posed by voting equipment current available. In considering accessibility of voting systems, 
the following three points are critical: 

1) The determination of whether or not a voting system, with or without a paper ballot, is 
"accessible" (and therefore meets any legal requirements to be "accessible") should be 
based on conformance to a set of appropriately developed, nationally accepted, technical 
access standards. Such determinations should not be based on individual anecdotal 
experiences. 



101 


2) If the decision is made to require a paper ballot, as a determinative vote of record to 
ensure security, that paper ballot must be accessible. Accessibility cannot and should not 
be knowingly compromised in response to unreasonable concerns regarding security. 

3) A robust testing process should be in place to verify that a voting system conforms to 
accepted access standards. The entity performing such testing must have comprehensive 
knowledge and understanding of accessibility features along with expertise and experience 
in assistive technology. 


Status of Accessibility Standards and Conformance 

The adoption of access standards as part of the Voluntary Voting System Guidelines (WSG) 
required by HAVA has provided much needed direction regarding what is and is not 
considered to be "accessible." These access standards provide technical specifications 
regarding the access features that must be provided by a voting system for it to be 
considered an accessible system pursuant to HAVA requirements. 

For example, the WSG indicates that an accessible voting system must provide - 

• An audio-tactile interface so that a blind voter can listen to the ballot and 
navigate/mark the ballot through tactile controls; 

• Enlarged and enhanced text for individuals who have vision loss but cannot use an 
audio ballot; 

• Simultaneous audio and enhanced visual display for individuals who have vision loss 
and those with print disabilities such as dyslexia; and 

• A "non-manual" input option (usually dual switch) that allows individuals with very 
limited motor skills navigate/mark the ballot. 

In reviewing products over the past several years, it appears that most of the access 
features required by the WSG (excluding those related to accessibility of paper ballots) are 
being delivered by one or more direct response electronic (DRE) systems or ballot marking 
devices (BMD) with an electronic interface currently on the market. Features not currently 
available on existing products could be readily added as part of a redesign of the electronic 
Interface of a DRE or BMD system. These electronic interfaces (absent paper ballots) that 
conform to the WSG access standards deliver a wide range of access features that allow 
individuals with a variety of disabilities to vote secretly and independently, like all other 
Americans. As a result, many Americans with disabilities have enjoyed a certain level of 
accessibility in voting for the first time in their lives. 


The Paper Challenge 

If paper ballots are used to ensure security, those paper ballots must also be accessible to 
ensure the security of the entire election system and to uphold the rights of voters with 
disabilities to generate, verify and cast their vote privately and independently. 

Unfortunately, providing the same range of accessibility for a paper ballot, as is readily 
available with an electronic interface, is a bit more challenging, though not impossible. Two 
major shortcomings exist in current voting systems that use a paper ballot. 


1) Direct electronic voting systems with voter verified paper audit trail (WPAT) 
printers do not provide a mechanism for alternative access to the print on the 



102 


VVPAT. As a result, voters with vision disabilities cannot verify the paper ballot 
privately or independently. 

2) Ballot marking devices require voters with disabilities to manually handle paper to 
verify and cast their ballot. As a result, voters with motor and other disabilities 
cannot verify or cast the paper ballot independently. 

The WSG requires that systems utilizing a voter verified paper ballot as a determinative 
vote of record ensure that the paper ballot itself (not the electronic ballot) is accessible to 
voters with vision disabilities. The VVSG also requires that voters with motor disabilities be 
able to submit/cast the paper ballot without assistance. This means - 

• Voters with disabilities should not be required to handle a paper ballot at any point in 
the voting process; 

• Blind voters should be able to generate their vote using an audio-tactile interface and 
then should be able to verify/edIt and cast the content of the paper ballot using that 
same interface; 

• Voters with low vision who used enhanced visual display on the screen of a voting 
system to generate their vote should have enhanced visual display available to 
verify/edit and cast the paper ballot; and 

• Voters with motor limitations who used switch input (e.g. sip and puff) to generate 
their vote should be able to use that same switch input to verify/edit and cast the 
paper ballot. 


Paper Ballot Accessibility Requirements 

Accepted public policy dictates that accessibility levels not be rolled back or decreased over 
time. The current level of access delivered by current VVSG requirements for paper ballots, 
must be preserved. Individuals with disabilities who have used paperless voting systems 
should not experience a decrease in their ability to privately and independently vote due to 
the addition of a paper ballot requirement. In addition, the same level of accessibility 
should be required for either a paper ballot or an electronic vote record. 

The most likely option for addressing access barriers In a DRE with WPAT will be the 
utilization of a scanner capable of automatically converting the human readable text of the 
VVPAT into electronic text. That electronic text can then be used to generate audio/speech 
output (through text-to-speech software or other mechanism used by the core DRE system) 
and enhanced visual display (on the visual display of the DRE.) The base DRE system will 
already have the capacity to deliver audio/speech output and enhanced visual display as it 
does for an electronic vote record. The same output mechanisms can be used, but will be 
based on the scanned content of the WPAT, instead of the content of the electronic ballot. 

Some voting systems are using or considering use of bar coded information printed on a 
paper ballot to support automatic vote counting. While scanning bar code information is an 
attractive option to deliver accessibility, it is important to remember that voters with 
disabilities must be able to verify that information that is or can be the determinative vote 
record. If bar code data is the only print information that can or will be counted, then using 
bar code data as the content to be verified by voters with disabilities is appropriate. If 
however, the human-readabie print is or can be a determinative vote record, then that print 
will need to be scanned and converted into accessible form so voters with disabilities. Just 
like all other voters, can verify the human readable information. 



103 


The most likely option for addressing access barriers in a BMD will be the addition of an 
automatic paper handling mechanism. If the paper ballot can be manually fed into the 
system prior to beginning the vote process, and from that point on all paper handling is 
done via automatic feeding mechanisms, the access barrier will be eliminated. 

While this all sounds complex, the technology to make this happen is either currently 
available or can be developed If manufactures are given adequate time and unreasonable 
design requirements are not imposed. For example, in recent deliberations it appears the 
TGDC is considering separate output hardware be required to deliver the accessible media. 
In other words, once the print content of the WPAT or electronically marked ballot is 
scanned, it must be delivered to the voter through a separate output device from the one 
used to deliver information during vote generation. 

So for a DRE with WPAT that means a voter using the audio tactile ballot would have to 
unplug their headset from a jack on the machine used to generate the vote record and plug 
it into a jack on a physically separate machine to verify the scanned information of the 
paper ballot. For a voter who used large visual display on a DRE to generate the vote 
record, they would have to use a separate visual display to verify the WPAT paper ballot. 
For a ballot marking device the situation is even more convoluted in that the voter would 
have to manually carry their marked paper ballot to a separate machine to have the 
scanning done and delivered to separate output devices. If this requirement is put in place, 
the time necessary to develop and deploy accessible voting systems will be significantly 
increased and during the interim individuals with disabilities will not have access to 
accessible vote verification and vote casting. 


Independent Testing Labs 

Testing entities entrusted with verifying voting system conformance to the access standards 
must have adequate knowledge and understanding of accessibility to do the job. 

While the EAC has taken dramatic steps to improve the independent testing process for 
voting equipment, it is unclear what expertise and experience the testing labs have to 
adequately ensure compliance with the accessibility standards. Based on past experience 
with these same entities, it did not appear as if sufficient expertise existed to appropriately 
judge conformance to access standards. Time and time again, it was discovered that 
systems certified as conforming to existing Federal Election Commission access standards, 
in fact did not conform. 


Summary 

If Congress determines that in order to secure the voting process every voter must be able 
to verify and cast a paper ballot — then afl voters must be able to verify and cast paper 
ballots for our elections to be truly be secure. Moreover, verification measures must 
safeguard the rights voters with disabilities gained under HAVA and must allow all voters to 
verify their ballot privately and independently. A new access barrier should not be created 
by the addition of a verification requirement or a paper ballot mandate. Congress should 
not develop election access requirements to accommodate equipment vendors or the status 
of currently available voting products. Accessible verification technology will only develop if 
the law clearly requires it, and the technology will only be adequate if reasonable time and 
appropriate resources are allocated to support that development. 



104 


Mr. Clay. Thank you very much, Dr. Golden. 

Now, we will move to the question period. My first question is 
for both Dr. Rubin and Mr. Groh. Let me ask you, would you agree 
that a major flaw in the EAC’s voting system guidelines is the lack 
of prescribed standards or guidance for testing or maintaining com- 
mercial off the shelf software or products in e-voting systems? And 
have you and your colleagues at the ACCURATE Center sought to 
offer recommendations for establishing such a requirement. I know 
Mr. Groh pointed to some documentation he was going to leave 
with the committee. 

Mr. Rubin, first. 

Mr. Rubin. Thank you. 

Sir, that is outside of the charter of what ACCURATE does. We 
have been funded by the National Science Foundation to do re- 
search, outreach and education. We did provide I believe a 40 page 
document of feedback to the EAC on their proposed WSG. I don’t 
think that software, whether COTS or whether a specific voting ap- 
plication software, can be tested for security the way you would 
test it for humidity or for dropping or for any other things like 
that. I think voting machines need to be red team tested and I 
don’t feel that the WSG offers the kind of standards that would 
need to be prescribed to properly test a system like this for secu- 
rity. 

Mr. Clay. Mr. Groh. 

Mr. Groh. Again, I will not claim to be a computer scientist or 
expert, so I acquiesce a little bit to what Dr. Rubin would bring up. 
But I would like to answer from a different perspective. That is 
that the EAC was working as hard as they could, as fast as they 
could, trying to develop the 2005 voluntary voting system guide- 
lines to replace the 2002. They almost had a challenge that was not 
going to be met. Part of that is when you begin to dig into this, 
there are many, many moving parts, and many, many individuals 
or stakeholders in this from voters to local election officials. Sec- 
retaries of State, the disability community, the vendors. 

When that process took place, what they did is they had to rush 
that. So if you look at the time line that the NIST and the Tech- 
nical Guidelines Development Committee worked under, they had 
to shortcut and come up with something to deliver in May 2005, 
so that they could get something implemented. They were racing 
to the finish line. They now have started on the second round of 
that, and they are going through the next iteration. I believe it is 
in that they will do a much better job of coming up with standards 
around it. 

So a lot of the standards that you see were left off, were left off 
knowingly because they were going to be out of time, or they would 
have still not had them released. 

Mr. Clay. Thank you so much for that response. 

Dr. Golden, can you specify how current and available technology 
can provide a verifiable audit trail for those needing assistance? 
Wouldn’t the use of barcoded information from a paper ballot ma- 
chine provide accessibility, while also ensuring the privacy of the 
voter’s ballot? Are there other e-voting system options that can be 
employed in order to provide both accessibility and reliability in the 
voting process? 



105 


Ms. Golden. Thanks for the question about harcoding, because 
that always seems to come up. The interesting scenario with 
barcoding is again, you have the DRE that has an electronic vote, 
and then there is a secondary or parallel paper printed vote over 
here. If there is a barcode printed on that paper ballot, then yes, 
a scanner can either read human readable text, OCR scanning, or 
it can read a barcode. If indeed a person with a disability is verify- 
ing what is in the barcode, and that is actually what is being 
counted, then yes, it works beautifully. 

However, it the barcode isn’t really the determinative ballot of 
record, if it is the human readable text, then the person with a dis- 
ability needs to verify that human readable text. It could be that 
if the barcode is printed on the WPAT specifically for the purpose 
of counting ballots, which is kind of I think why it was originally 
going to be placed there, it wasn’t for accessibility purposes, if that 
is what is actually going to be counted by a scanner, then the per- 
son with a disability technically is the only one verifying what is 
going to be counted, because they are verifying what is in the 
barcode and all the sighted people are verifying the human read- 
able print, and yet that is not what is being counted. 

So I guess the answer is barcodes would be a great idea if that 
is what is being counted, then I actually think people with disabil- 
ities come out way ahead, because they are probably the only peo- 
ple verifying what is going to be the actual countable record. 

So it all boils down to what is being counted, what really is the 
ballot, and what is going to be counted. 

Mr. Clay. Would you say that the most acceptable equipment 
now in the polling places would be the optical scan with the audi- 
ble component on it? I mean, that is the one that election officials 
have demonstrated to me. They say that is the one that is widely 
accepted in the disabled community. Is that accurate? 

Ms. Golden. The two “types” of accessible machines most com- 
monly used are the ballot marking device, which is what you are 
talking about, an electronic interface with an optical scan marked 
ballot; or a DRE with or without paper. They are probably about 
split even. I wouldn’t have the data, but they are widely used, both 
of them, as accessible machines. 

The problem is with a ballot marking device you are 
disenfranchising people with motor disabilities, because they can- 
not physically handle that paper ballot through the process. DRE 
with a WPAT, you are disenfranchising people with vision loss be- 
cause they can’t see the print on that paper. 

So in essence, your choices of accessible machines right now are 
which disability constituency group would you rather disenfran- 
chise. 

Mr. Clay. That is a tough choice. [Laughter.] 

Ms. Golden. It is a great choice. 

Mr. Clay. Thank you for that response. 

Dr. Rubin, in your testimony, you discuss various vulnerabilities 
identified in the DRE machines used in Maryland since 2002. Can 
you offer us some detailed examples of the types of vulnerabilities 
identified or malfunctions that occurred in Maryland? 

Mr. Rubin. Sure. I also want to take this opportunity to comment 
on something that came up earlier today, where Maryland was 



106 


used as an example of a place that would have to switch from 
DREs, part of that 180,000. The Maryland House and Senate have 
passed a bill to move by 2010 to all paper optical scan, so they 
would be going anyway, although the Governor has not signed that 
bill yet. I just wanted to mention that. 

Working as a poll worker in Maryland, I encountered in the Sep- 
tember 2006 primary a lot of issues that had to do with the reli- 
ability of the electronic poll books. That is what received a lot of 
press. That is separate from the DREs. That is what is used to sign 
people in. 

There have been some problems of machine freezes, etc., but I 
don’t know of any tangible, viewable security problem that has oc- 
curred. That said, I think that the kind of security problems that 
I worry about don’t always manifest themselves in something no- 
ticeable. 

So the thought that if one of these machines accidentally had the 
wrong vote tally, there would be no way to know it. I think this 
is what we are seeing that happened when something actually visi- 
ble occurred in Sarasota County. What I ask myself is, how do we 
know that in Maryland there wasn’t a problem that just didn’t 
occur in a way that was visible? If 5 percent of the votes were re- 
corded for the wrong candidate, and everything falls within statis- 
tical exit polls, we wouldn’t know. 

Mr. Clay. That is troubling, what you just said. So do you be- 
lieve that there is a rate of error as far as miscounting votes? 

Mr. Rubin. I don’t actually believe that. My concern is that 
whenever there is an election, there is often a dispute. You have 
a loser. You have everyone except one usually loses. And so there 
is often a challenge to the election. There are a lot of people in the 
community that don’t feel that the right answer was obtained. We 
have a tradition of having recounts. With the DREs as we use them 
in Maryland right now, there is no way to perform these recounts, 
and there is no way to gain any assurance. 

That is a different question from, do I believe these mistakes 
have been occurring. I actually don’t have any reason to believe 
that they have or have not been occurring, but I am concerned with 
the fact that we can never resolve an issue if a situation occurs 
where there is reason to doubt the outcome. 

Mr. Clay. And Maryland has attempted to correct this how? 

Mr. Rubin. So Maryland has had several times bills have come 
before the House and Senate. The most recent one calls for all 
paper ballots with ballot marking devices for accessibility, and opti- 
cal scan for counting, and random audits. This bill, like I said, has 
passed the two houses in Maryland and is awaiting the Governor’s 
signature. 

Mr. Clay. Thank you for that response. 

Mr. Groh, to what extent have voting system manufacturers as- 
sessed their capacity to modify and upgrade voting systems for the 
2008 election? And furthermore, what are manufacturers doing 
now to project future demands on their resources and address their 
needs? 

Mr. Groh. I think the first thing that we have done is we have 
had a lot of sleepless nights. Part of it is when you don’t know 



107 


what you are going to be doing because there is not clear direction. 
You then continue to worry about it. 

All of us, though, are trying to come up with scenarios and try 
and second guess what those scenarios are, but until we know for 
a fact what things are going to be implemented, it is hard for us 
to hit a target that will move. In fact, that has been a lot of the 
issues that we were all challenged with during the implementation 
of the HAVA, of where people needed to get the products purchased 
and installed by January 1, 2006. That created a tremendous 
amount of a time constraint, and so many of us were rushing to 
the goal line when we would have liked to have had more time to 
have made corrections that we knew about, but we didn’t have the 
time to do those things. 

So today, many of us are trying to address issues we saw in the 
2006 election to make sure that they are ready for 2008. We are 
trying to address that. You need to understand, to do anything for 
2008, I need to be ready to implement from my company’s perspec- 
tive in about November or October of this year. The first elections 
are in February 2008. 

We will be doing early balloting and voting on that will happen 
45 days in advance. If you back up ballot layout, ballot proof, logic 
and accuracy, public testing and so forth in there, you run yourself 
out of time. So getting through a certification process on new tech- 
nology between now and 2008, it is going to be impossible to do. 

Mr. Clay. In light of the dysfunctional processes identified in the 
current lab certification process for systems, what are your views 
on the EAC’s current voting system certification process? 

Mr. Groh. The process the EAC is implementing is a much more 
rigorous level. It is like, to use an analogy, it is like stepping from 
high school basketball to professional basketball. It has that kind 
of a differential. 

To implement that, you can’t implement it overnight. So they are 
going through a process right now of certifying the labs under a 
NIST program called NAVLAB, which is a national laboratory cer- 
tification program that they put them through. That is the piece 
that you were challenging Commissioner Hillman to earlier about 
what they found out in their evaluation of CIBER to meet that new 
test lab process. 

We right now are seeing from a manufacturer’s standpoint there 
is a constraint or there is a keyhole that we are trying to go 
through in the test labs. There are only two of them available. We 
can’t get all of our product, that is stacked up there like airplanes 
waiting to land, through those two. We know that NAVLAB will 
free that up, but you have to give them enough time to get the 
NAVLAB program in place to get enough laboratories available. 

Mr. Clay. Has the ETC developed its own recommendations for 
improving the system? 

Mr. Groh. Yes, we have. We submitted from the May timeframe 
of 2005, when NIST and TGDC presented their recommendations 
on the WSG, we were part of helping them develop and answer 
questions. We were allowed to provide comments, and we are con- 
tinuing to work in the process of the new programs that they are 
looking at, the new WSG standards and the certification process. 



108 


Mr. Clay. As a final question for you, are the threats to voting 
system security changing? And what more needs to be done to un- 
derstand and address the threats? 

Mr. Groh. Dr. Rubin’s ACCURATE organization is doing some 
of that because they are looking at how voting systems and the 
voter interface and interact. There are probably four or five other 
organizations that are doing the same thing. 

From the vendors perspective, we do think this is an end to end 
process. So from the time that we develop a product, Q/A it, run 
it through certification, there are a whole group of other activities 
that happen that are all part of certification, such as the State 
level. There are 36 States that do their own State-level certification 
on that is an enhanced version of it over the EAC’s process. 

Additionally, there is acceptance testing done by the local elec- 
tion officials. There is chain of custody programs that they are im- 
plementing and putting into place under the EAC’s guidance and 
direction. 

But to me, the biggest security principle that we have in this is 
the fact that these voting systems are used widely across the 
United States. They are not all one uniform, unique system. It is 
impossible to get access to all of these systems, to get in there and 
do something with them, because they are all different from each 
other. So that alone creates a layer of security in here that people 
don’t recognize or see that is there. 

And then you have the citizenry that oversees it. The poll work- 
ers are voters and are citizens that are voting and using that. Hun- 
dreds of thousands of them work on this. You have local oversight 
into that through them. 

Mr. Clay. Thank you for that response. 

Dr. Rubin, in yesterday’s PC World, there was an article about 
research being conducted at University College Dublin in order to 
develop a more secure e-voting software architecture through the 
use of open source software. Can you offer us an opinion on how 
the EAC could alter the current accreditation and certification 
process in order for it to become more transparent and reliable? 

Mr. Rubin. Sure. I am familiar with that article. I think that a 
lot of the attention that has been placed by people who are de- 
scribed in that article on open source in my opinion are somewhat 
misguided. You can have all kinds of bugs and security flaws in 
software that is open source, just as you can in software that is not 
open source. 

It is my belief that you are not necessarily much more likely to 
expect to find these problems in open source as you are in things 
that are not open source, because bugs are that difficult to find. 

In terms of what the EAC can do, I think following NIST’s advice 
and striving for software independence. If we had a software inde- 
pendence system as defined by NIST, then it wouldn’t really matter 
if the software was that secure, and it wouldn’t really matter if the 
software was open or not, because software independence means 
that you are not depending on the software for security. 

So I don’t want to sound like a broken record with respect to 
paper, but right now I can’t think of a system that provides soft- 
ware independence that is not based on paper. I do think there are 
such systems in the works, and I am a big fan of the cryptographic 



109 


systems that are being developed. I don’t think that they are ready 
to be deployed in any precincts right now, but someday they will 
be. 

Mr. Clay. Can you offer us an opinion on how the EAC could 
alter the current accreditation and certification process in order for 
it to become more transparent and reliable? 

Mr. Rubin. I think that several things could happen. The EAC 
could require what is known as red team testing of the machines, 
which is different from the kind of testing them to a standard, 
where you get security experts and software experts to have a field 
day with these things in the lab and try to break them and find 
out where the weaknesses are. I think that is the best way to test 
security these days. 

Mr. Clay. Thank you for that response. 

Ms. Golden, as a final question, has the voting system vendor 
community been receptive to the needs of the disabled community? 
Are there adequate systems development efforts underway to im- 
prove the accessibility of voting systems under the new guidelines? 

Ms. Golden. Since I am sitting right next to Mr. Groh, I would 
never say no to that question, and in all fairness, the vendor com- 
munity has I think worked very, very hard on accessibility. 

I will say the progress has kind of been in fits and starts, but 
some of that was very legitimate. First off, we didn’t have good ac- 
cessibility standards until the WSG came out, which does provide 
a robust set of access standards that they could actually build to. 

In terms of accessibility, this is similar at least to architectural 
access. Until we had good architectural access standards that said 
door widths need to be X wide and slopes need to be this kind of 
slope, and grab rails need to go here, people didn’t know how to 
build something accessible, so part of it had to do with standards. 

Part of it, too, quite frankly, is the vendor community did what 
seemed logical, which was they went to constituency groups of peo- 
ple with disabilities and asked them what they wanted. The classic 
example that I always give is a vendor who went to a bunch of 
blind folks who were very competent technology users. What they 
wanted is going to be very different from what older blind people 
who are not very technology savvy are going to want and need. So 
they built the system, and it did work very, very well for blind peo- 
ple who were technology savvy. The older blind population had a 
heck of a time figuring out a 10 key pad and a this and a that. 

So some of it, too, was just not being familiar with the disability 
community as a very diverse group of people. Someone with ALS 
is very different from someone who is blind, who is very different 
from someone with cerebral palsy. Knowing that whole population, 
I think it has been a bit of a learning curve for the vendor indus- 
try. 

But yes, I would say they are very committed to it. I don’t think 
anybody doesn’t want people with disabilities to have a completely 
private independent vote. 

Mr. Clay. So the issues relevant to the disabled community are 
solvable by the industry, as long as they work together with the 
disabled community? 

Ms. Golden. Yes. And I think technologically, the solutions are 
there. It is just going to take us some time and money to get there. 



110 


and a clear vision. Part of this has been too, we are going to do 
electronic votes; no, we are going to go back to paper. If we had 
been focused on paper all along, we might have been a little further 
ahead in this game, but we have gone back and forth. If paper is 
the game, then we just need to make it accessible. We have a cou- 
ple of big issues to solve, and somebody just needs to get down to 
it, and solve it and be done with it. 

Mr. Clay. Thank you. 

Thank you for your response. Let me thank the panel for their 
response. I will allow anyone on the panel to make a closing state- 
ment, if you have any. 

Dr. Rubin, you may proceed. 

Mr. Rubin. OK. There is one thing I didn’t get to in my opening 
remarks. I wanted to point out that DREs did break ground in ac- 
cessibility, but that the accessibility features are not particular to 
DRE, and some of this has come out. I think the same accessibility 
features can be obtained with op scan using ballot marking ma- 
chines and accessible verification technologies. I agree that a lot of 
work needs to be done to make that happen so it is usable in a pre- 
cinct. 

I want to point out that the security community is not advocating 
compromising on accessibility, but rather preserving accessibility, 
but adding security and audit. 

Mr. Clay. Thank you for that. 

Mr. Groh. 

Mr. Groh. Yes. I would like to just close with a couple of things. 
The Election Technology member companies, we believe we are a 
stakeholder in this. The companies and all the employees that are 
involved in this, our aim has been always in the products that we 
build and the development we work with and the interfaces we 
have, whether it is with Secretaries of State or with the accessibil- 
ity community, and that is a broad community. There are many, 
many organizations, but it has been to be responsive to all voters, 
the local election officials. State and Federal Government, and kind 
of in that order. 

We are also committed to providing safe, accurate, secure and re- 
liable, accessible voting systems, but we need to know what that 
target is and we will build it. People are saying, if you build this, 
we will buy it or we will come. So that is what we want, and we 
need those definable solutions. 

The closing pieces would be you need to allow the time to do this. 
That has been, if I can say there is one root cause of many of the 
issues that we are dealing with today, we have never given it 
enough time to allow everybody to get to the table and hash and 
debate this out. There are many good ideas that can come out of 
that discussion, but we have always tried to do that in about a 2 
month or 3 month window of time. It is not enough time. 

The other one is to encourage you to make sure you consider 
funding responsiveness on this, because the No. 1 competitor that 
I have experience being in this business since 1995, was not an- 
other competitor. It was the local election official saying, I don’t 
have enough money. They knew they wanted better election equip- 
ment, but they had a school or a library or a road that needed to 
be done. 



Ill 


HAVA allowed us to make a huge leap forward. Let’s not throw 
that all away, but if we are going to spend the next round of 
money, let’s do it very, very appropriately. We don’t need to rush 
to the finish line on this one. 

Mr. Clay. Thank you so much, Mr. Groh. 

Dr. Golden. 

Ms. Golden. Since everybody else did something, of course I 
can’t be outdone. I might as well. 

Mr. Clay. You might as well. Please do. 

Ms. Golden. Just a couple of quick points. 

One is to followup on a question you asked earlier about the 
Technical Guidelines Development Committee, and representation 
of accessibility interests. I talked with Commissioner Hillman a lit- 
tle bit after the closing of the first round. The disability community 
I think as a whole does have a bit of a concern with the degree to 
which accessibility interests are being discussed as part of the 
Technical Guidelines Development Committee. They are working 
on the next iteration of the WSG, and yet again we are finding 
that security interests are trampling accessibility, for lack of a bet- 
ter way of describing it, and no one is at the table saying, wait a 
minute; I am not telling you not to do this, but if you do “A,” you 
have again diminished accessibility. 

The accessibility community just seems to always be playing 
catch-up behind the game. The train seems to be driven by the se- 
curity issues, and it is always the afterthought, oh, oops, you mean 
if we require not only software independence, but hardware inde- 
pendence, then we also have caused another accessibility problem. 
Yes. So that continues to be a concern. 

And the second issue has to do with the testing facilities and 
labs. The EAC has a new process, much more rigorous. We have 
not seen the outputs of that process yet, but in terms of accessibil- 
ity, I guess I am fearful again that we are not going to be ade- 
quately represented in terms of the skills and expertise in those 
labs. 

What I saw in the first round of conformance to the EEC 2002 
access standards, I would get a report, worked with Secretary of 
State Carnahan and our group. Missouri does certify equipment, in 
addition to national certification. When we looked at the equip- 
ment, I would see the testing lab report and it would say this piece 
of equipment conformed to this access standard, and yet I could tell 
it didn’t. The vendor could tell it didn’t. And yet, the certification 
statement said, yes, it conformed. 

So I am fearful, or at least I would like to hope that we have 
more expertise involved in judging conformance and evaluating 
conformance to the access standards. They are highly technical. 
You have to know something about people with disabilities and ac- 
cessibility if you are going to judge conformance to those standards. 
I don’t know enough about those labs to know if they have that 
kind of expertise or not, quite frankly. 

Mr. Clay. Thank you for that. 

Let me thank this panel, and the previous panel, for their expert 
testimony today on such an important subject to this committee, to 
this Congress, and to the American public, so that they can have 
confidence in their vote and ensure that it is counted accurately. 



112 


and that they can have a better understanding of the electronic 
voting systems that each State administers. 

So I want to say thank you to this panel and the previous panel 
for their testimony. 

Without objection, the committee stands adjourned. 

Thank you. 

[Whereupon, at 5:55 p.m. the subcommittee was adjourned.] 

o 



